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Abstract 

One  key  step  in  the  Advanced  Encryption  Standard  (AES),  or  Rijndael,  algorithm 
is  called  the  “S-box”,  the  only  nonlinear  step  in  each  round  of  encryption/decryption. 
A  wide  variety  of  implementations  of  AES  have  been  proposed,  for  various  desiderata, 
that  effect  the  S-box  in  various  ways.  In  particular,  the  most  compact  implementation 
to  date  of  Satoh  et  al.  [12]  performs  the  8-bit  Galois  field  inversion  of  the  S-box  using 
subfields  of  4  bits  and  of  2  bits.  This  work  describes  a  refinement  of  this  approach 
that  minimizes  the  circuitry,  and  hence  the  chip  area,  required  for  the  S-box.  While 
Satoh[12]  used  polynomial  bases  at  each  level,  we  consider  also  normal  bases,  with 
arithmetic  optimizations;  altogether,  432  different  cases  were  considered.  The  isomor¬ 
phism  bit  matrices  are  fully  optimized,  improving  on  the  “greedy  algorithm.”  The  best 
case  reduces  the  number  of  gates  in  the  S-box  by  20%.  This  decrease  in  chip  area  could 
be  important  for  area-limited  hardware  implementations,  e.g.,  smart  cards.  And  for 
applications  using  larger  chips,  this  approach  could  allow  more  copies  of  the  S-box,  for 
parallelism  and/or  pipelining  in  non-feedback  modes  of  AES. 


1  Introduction 

The  Advanced  Encryption  Standard  (AES)  was  specified  in  2001  by  the  National  Institute 
of  Standards  and  Technology  [9].  The  purpose  is  to  provide  a  standard  algorithm  for  en¬ 
cryption,  strong  enough  to  keep  U.S.  government  documents  secure  for  at  least  the  next  20 
years.  The  earlier  Data  Encryption  Standard  (DES)  had  been  rendered  insecure  by  advances 
in  computing  power,  and  was  effectively  replaced  by  triple-DES.  Now  AES  will  largely  re¬ 
place  triple-DES  for  government  use,  and  will  likely  become  widely  adopted  for  a  variety  of 
encryption  needs,  such  as  secure  transactions  via  the  Internet.  As  Secretary  of  Commerce 
Norman  Y.  Mineta  put  it  in  announcing  AES,  “...this  standard  will  serve  as  a  critical 
computer  security  tool  supporting  the  rapid  growth  of  electronic  commerce.  This  is  a  very 
significant  step  toward  creating  a  more  secure  digital  economy.  It  will  allow  e-commerce  and 
e-government  to  flourish  safely,  creating  new  opportunities  for  all  Americans.”  [7] 

A  wide  variety  of  approaches  to  implementing  AES  have  appeared,  to  satisfy  the  varying 
criteria  of  different  applications.  Some  approaches  seek  to  maximize  throughput,  e.g.,  [5],  [14] 
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and  [2];  others  minimize  power  consumption,  e.g.,  [6];  and  yet  others  minimize  circuitry,  e.g., 
[11],  [12],  [15],  and  [1].  For  the  latter  goal,  Rijmen[10]  suggested  using  subfield  arithmetic 
in  the  crucial  step  of  computing  an  inverse  in  the  Galois  Field  of  256  elements — essentially 
expressing  an  8-bit  calculation  in  terms  of  4-bit  ones.  This  idea  was  further  extended  by 
Satoh  et  ah  [12],  breaking  up  the  4-bit  calculations  into  2-bit  ones,  which  resulted  in  the 
smallest  AES  circuit  to  date. 

The  current  work  improves  on  the  compact  implementation  of  [12]  in  the  following  ways. 
Many  (432)  choices  of  representation  (isomorphisms)  were  compared,  and  the  most  compact 
turns  out  to  use  a  normal  basis  for  each  subfield  ([12]  uses  a  polynomial  basis  for  each 
subfield).  And  while  [12]  used  the  “greedy  algorithm”  to  reduce  the  number  of  gates  in  the 
bit  matrices  required  in  changing  representations,  here  each  bit  matrix  is  fully  optimized, 
resulting  in  the  minimum  number  of  gates.  These  various  refinements  result  in  an  S-box 
circuit  that  is  20%  smaller,  a  significant  improvement. 

The  AES  algorithm,  also  called  the  Rijndael  algorithm,  is  a  symmetric  encryption  algo¬ 
rithm,  meaning  encryption  and  decryption  are  performed  by  essentially  the  same  steps.  It 
is  a  block  cipher,  where  the  data  is  encrypted/decrypted  in  blocks  of  128  bits.  (The  original 
Rijndael  algorithm  allows  other  block  sizes,  but  the  Standard  only  permits  128-bit  blocks.) 
Each  data  block  is  modified  by  several  “rounds”  of  processing,  where  each  round  involves 
four  steps.  Three  different  key  sizes  are  allowed:  128  bits,  192  bits,  or  256  bits,  and  the 
corresponding  number  of  rounds  for  each  is  10  rounds,  12  rounds,  or  14  rounds,  respectively. 
From  the  original  key,  a  different  “round  key”  is  computed  for  each  of  these  rounds.  For 
simplicity,  the  discussion  below  will  use  a  key  length  of  128  bits  and  hence  10  rounds. 

There  are  several  different  modes  in  which  AES  can  be  used  [8].  For  some  of  these,  such 
as  Cipher  Block  Chaining  (CBC),  the  result  of  encrypting  one  block  is  used  in  encrypting 
the  next.  These  are  called  feedback  modes,  and  the  feedback  effectively  precludes  pipelining 
(simultaneous  processing  of  several  blocks  in  the  “pipeline”).  Other  modes,  such  as  the 
“Electronic  Code  Book”  mode  or  “Counter”  modes,  do  not  require  feedback.  These  non¬ 
feedback  modes  may  be  pipelined  for  greater  throughput. 

The  four  steps  in  each  round  of  encryption,  in  order,  are  called  SubBytes  (byte  substitu¬ 
tion),  ShiftRows,  MixColumns ,  and  AddRoundKey.  Before  the  first  round,  the  input  block 
is  processed  by  AddRoundKey;  one  could  consider  this  round  number  zero.  Also,  the  last 
round,  number  ten,  skips  the  MixColumns  step.  Otherwise,  all  rounds  are  the  same,  except 
each  uses  a  different  round  key,  and  the  output  of  one  round  becomes  the  input  for  the  next. 
(For  decryption,  the  mathematical  inverse  of  each  step  is  used,  in  reverse  order;  certain 
manipulations  allow  this  to  appear  like  the  same  steps  as  encryption  with  certain  constants 
changed.) 

Of  these  four  steps,  three  of  them  ( ShiftRows ,  MixColumns,  and  AddRoundKey )  are 
linear,  in  the  sense  that  the  output  128-bit  block  for  such  steps  is  just  the  linear  combination 
(bitwise,  modulo  2)  of  the  outputs  for  each  separate  input  bit.  These  three  steps  are  all  easy 
to  implement  by  direct  calculation  in  software  or  hardware. 

The  single  nonlinear  step  is  the  SubBytes  (byte  substitution)  step,  where  each  byte  (8 
bits)  of  the  input  is  replaced  by  the  result  of  applying  the  “S-box”  function  to  that  byte. 
This  nonlinear  function  involves  finding  the  inverse  of  the  8-bit  number,  considered  as  an 
element  of  the  Galois  field  GF( 28).  This  is  not  a  simple  calculation,  and  so  many  current 
implementations  use  a  table  of  the  S-box  function  output;  the  input  byte  is  an  index  into 
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the  table  to  find  the  output.  This  table  look-up  method  is  fast  and  easy  to  implement. 

But  for  hardware  implementations  of  AES,  there  is  one  drawback  of  the  table  look-up 
approach  to  the  S-box  function:  each  copy  of  the  table  requires  256  bytes  of  storage,  along 
with  the  circuitry  to  address  the  table  and  fetch  the  results.  Each  of  the  16  bytes  in  a  block 
can  go  through  the  S-box  function  independently,  and  so  could  be  processed  in  parallel  for 
the  byte  substitution  step.  This  then  effectively  requires  16  copies  of  the  S-box  table  for  one 
round.  To  fully  pipeline  the  encryption  would  entail  “unrolling”  the  loop  of  10  rounds  into 
10  sequential  copies  of  the  round  calculation.  This  would  require  160  copies  of  the  S-box 
table,  a  significant  allocation  of  hardware  resources. 

In  contrast,  this  work  describes  a  direct  calculation  of  the  S-box  function  using  sub-field 
arithmetic,  similar  to  [12].  While  the  calculation  is  complicated  to  describe,  the  advantage 
is  that  the  circuitry  required  to  implement  this  in  hardware  is  relatively  simple,  in  terms 
of  the  number  of  logic  gates  required.  This  type  of  S-box  implementation  is  significantly 
smaller  (less  area)  than  the  table  it  replaces,  especially  with  the  optimizations  in  this  work. 
Furthermore,  when  chip  area  is  limited,  this  compact  implementation  may  allow  parallelism 
in  each  round  and/or  unrolling  of  the  round  loop,  for  a  significant  gain  in  speed. 

The  rest  of  the  paper  describes  the  algorithm  in  detail.  Section  2  describes  some  basics 
of  Galois  field  arithmetic  and  representations,  essential  to  the  algorithm.  The  basic  idea  of 
the  algorithm  is  explained  in  Section  3.  Section  4  discusses  ways  to  optimize  the  calculation, 
Section  5  describes  the  choices  of  representation,  and  Section  6  gives  the  detailed  formulas 
of  the  algorithm.  Finally,  Section  7  summarizes  the  work. 


2  Galois  Fields  GF(T) 


Finite  fields,  or  Galois  fields,  are  important  in  many  applications,  such  as  error-correcting 
codes [4],  and  have  been  studied  extensively  (one  good  reference  is  [3]).  Here  we  give  only  a 
brief,  informal  introduction  to  the  properties  necessary  for  the  AES  algorithm. 

A  field  is  a  set  F  of  elements  with  two  binary  operations,  say  ©  and  <S>.  We  will  call 
these  addition  and  multiplication,  and  will  sometimes  use  the  standard  notation  a  +  b  and 
ab  instead  of  a  ©  b  and  a  ©  b,  for  simplicity.  These  operations  must  satisfy  certain  properties 
(here  a,  b,  c  represent  arbitrary  elements  of  F): 


1.  the  set  is  closed  with  respect  to  both  operations: 


(a) 

a  ©  b  e  F 

(b) 

a®b  e  F 

both 

operations  are  associative-. 

(a) 

(a  ©  b)  ©  c  = 

a  ©  (b  ©  c) 

(b) 

(a  ©  b)  ®  c  = 

a  ©  (b  ©  c) 

both 

operations  are  commutative 

(a) 

a  ©  b  =  b  ©  a 
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(b)  a  ©  b  =  b  ©  a 

4.  the  operations  obey  the  distributive  law:  (a  ©  b)  ©  c  =  (a  c)  ©  [b  ©  c) 

5.  each  operation  has  an  identity  (call  the  identities  0  and  1): 

(a)  a  ©  0  =  a 

(b)  a  ©  1  =  a 

6.  each  element  a  has  an  additive  inverse  (say  q):  a®q  =  0  (this  defines  subtraction;  the 
standard  notation  for  the  additive  inverse  of  a  is  —a) 

7.  each  nonzero  element  o/  0  has  a  multiplicative  inverse  (say  r ):  a©r  =  1  (this  defines 
division;  the  standard  notation  for  the  multiplicative  inverse  of  a  is  a-1) 

Familiar  examples  are  the  field  of  rational  numbers,  the  field  of  real  numbers,  and  the  field 
of  complex  numbers.  If  a  subset  of  a  field  is  itself  a  field,  using  the  same  operations,  then  it 
is  called  a  subfield.  For  example,  the  rational  numbers  is  a  subfield  of  the  real  numbers. 

If  a  field  has  only  a  finite  number  of  elements,  it  is  a  finite  field.  But  given  some  finite 
set,  it  is  not  always  possible  to  define  two  operations  with  the  above  properties;  it  is  only 
possible  if  the  number  of  elements  in  the  set  is  of  the  form  pn  where  p  is  a  prime  number 
and  n  is  a  positive  integer.  Then  pn  is  called  the  order  of  the  field  and  p  is  called  the 
characteristic  of  the  field.  So  there  is  no  field  of  6  elements,  for  example,  but  there  is  a  field 
of  7  elements  and  a  field  of  8  (=  23)  elements.  Given  a  set  of  pn  elements  there  may  be  more 
than  one  way  to  define  the  operations  to  produce  a  field,  but  these  different  ways  give  fields 
that  are  isomorphic :  by  changing  the  names  we  can  change  one  field  into  the  other — the 
structure  remains  the  same.  So  in  this  sense  there  is  only  one  finite  field  for  a  given  number 
of  elements  pn\  we  call  this  the  Galois  Field  GF(jpn).  (We  will  also  use  the  notation  of  [3] 
for  this  field:  Fz,,  where  k  =  pn.)  If  a  positive  integer  m  is  a  factor  of  n,  then  GF(pm)  is  a 
subfield  of  GF{fi. 

The  simplest  example  is  GF(2)  =  {0, 1}  with  the  usual  addition  and  multiplication  except 
1  ©  1  =  0;  this  is  also  called  arithmetic  modulo  2.  Note  that  in  this  field,  each  element  is 
its  own  additive  inverse,  so  subtraction  is  the  same  as  addition.  This  is  true  for  all  fields 
GF( 2k)  of  characteristic  2. 

Another  example  that  will  be  important  later  is  GF( 22),  whose  elements  will  be  labeled 
{0, 1,  £2,  4/}.  The  operations  are  defined  by  the  tables  below: 


Note  that  if  we  swap  the  names  and  T  everywhere,  we  get  exactly  the  same  operations, 
i.e.,  the  same  field.  Also  note  that  GF( 22)  contains  the  subfield  GF( 2)  =  {0, 1}. 

There  are  several  different  ways  to  look  at  a  Galois  field.  An  element  a  of  GF(pn )  is 
called  primitive  if  all  its  powers  are  different:  a0  a1  a2  ■■■  apU~2 .  (For  any  nonzero 


© 

0 

1 

0 

T 

0 

0 

0 

0 

0 

1 

0 

1 

0 

T 

n 

0 

0 

T 

1 

T 

0 

T 

1 

n 

© 

0 

1 

n 

T 

0 

0 

1 

n 

T 

i 

1 

0 

T 

Q 

0 

T 

0 

1 

T 

T 

Q 

i 

0 
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element  b  then  lfn^1  =  1;  for  any  element  b  then  bpn  =  b.)  Hence  the  powers  of  a  primitive 
element  give  all  the  nonzero  elements  of  GF(pn).  Every  finite  held  has  at  least  one  primitive 
element,  so  one  way  to  look  at  the  held  is  in  terms  of  powers  of  that  element.  For  example, 
in  GF( 22),  fl  is  a  primitive  element:  1  =  12°,  12  =  121,1]/  =  122.  This  viewpoint  makes 
multiplication  easy:  add  the  exponents  modulo  pn  —  1.  But  then  addition  is  less  obvious. 

Another  viewpoint  involves  polynomials,  in  some  variable  x,  with  coefficients  in  GF(p ); 
these  are  called  polynomials  over  GF{jp).  Each  element  of  GF{jpn )  can  be  considered  a  poly¬ 
nomial  over  GF{jp),  of  degree  less  than  n.  Then  addition  just  means  adding  the  coefficients 
modulo  p.  Multiplication  must  be  done  modulo  some  specified  polynomial  q(x),  of  degree  n, 
with  leading  coefficient  equal  to  1;  also  q(x)  must  be  irreducible ,  which  means  it  is  not  the 
product  of  two  polynomials  of  lower  order. 

For  example,  in  GF( 22)  the  only  choice  for  q(x)  is  x2  +  x  +  1  (because  the  others  factor: 
x2  =  x*x,  x2  +  x  =  x*(x  +  l),  x2  +  1  =  (x  +  l)*(a;  +  l);  remember  the  coefficient  arithmetic  is 
modulo  2).  Then  we  could  think  of  GF( 22)  as  {0,  l,x,x  +  l}  where  x®x  =  ( x 2  modulo  q)  = 
x2  ©  {x2  +  x  +  1)  =  x  +  1,  and  similarly  x  ©  (x  +  1)  =  (x2  +  x)  ©  {x2  +  x  +  1)  =  1  and 
(x  +  1)  ©  (x  +  1)  =  (x2  +  1)  ©  (x2  +  x  +  1)  =  x. 

This  polynomial  viewpoint  makes  more  sense  if  we  think  of  the  variable  x  as  being  a  root 
of  the  polynomial,  so  q(x)  =  0.  Then  adding  or  subtracting  multiples  of  q(x)  is  just  adding 
zero.  In  the  first  representation  of  GF( 22),  note  that  122  ©  (12  ©  1)  =  T  ©  T  =  0,  so  we  could 
identify  x  =  Ft.  Alternatively,  we  could  identify  x  =  T  (switching  the  names  as  before),  the 
other  root. 

Another  viewpoint  is  that  the  held  GF(pn )  is  a  vector  space  of  dimension  n,  with  vector 
addition  ©  and  multiplication  by  scalars  in  GF(p)  (i.e.,  modulo  p).  (The  vector  viewpoint 
is  convenient  for  choosing  a  representation,  but  does  not  fully  reflect  the  multiplication 
operation  ©.)  Then  any  n  linearly  independent  elements  {bi,b2,  •  •  •  ,  of  GF(pn)  gives  a 
basis,  and  we  can  indicate  any  element  a  by  its  list  of  coefficients  with  respect  to  this  basis: 
if  a  —  ci  ©  bi  ©  C2  ®  62  0  •  •  •  ©  cn  ®  bn  (with  each  ct  e  GF(p ))  then  a  is  represented  by  the  list 
of  numbers  [ci,C2, . . . ,  cn] .  For  small  p  this  list  commonly  is  written  as  digits  in  positional 
notation:  C1C2  . . .  cn. 

For  example,  the  polynomial  viewpoint  for  GF( 22),  with  x  =  H,  corresponds  to  using  the 
ordered  basis  [H1,  0°] ;  this  is  called  a  polynomial  basis.  Using  this  basis:  0  =  OfU+OH0  =  00, 
1  =  0U1  +  1U°  =  01,  fl  =  1H1  +  0fl°  =  10,  T  =  1H1  +  112°  =  11.  This  defines  a  held  of  2-bit 
binary  numbers  (where  ©  is  bitwise  exclusive-or) ,  where  for  example  11  (g)  11  =  10. 

But  different  choices  of  basis  are  also  possible.  Another  type  of  basis  with  convenient 
properties  is  called  a  normal  basis,  of  the  form  {If  ,lf  , . . .  ,bpU  },  where  the  element  b  of 
GF{jpn )  must  be  chosen  to  make  that  set  of  powers  linearly  independent.  (One  nice  property 
is  that  an  isomorphism  [name  change]  on  the  held  has  the  same  effect  as  rotating  this  list  of 
basis  elements.) 

Using  the  ordered  normal  basis  [122l,U2()]  =  [vh,f2]  for  GF( 22)  gives  the  correspondence 
0  =  0T  +  0U  =  00,  1  =  IT  +  1U  =  11,  n  =  0T  +  10  =  01,  T  =  IT  +  0U  =  10.  This  gives 
a  different  2-bit  representation  of  GF{ 22);  addition  ©  is  still  bitwise  exclusive-or,  but  now 
for  example  11  ©  11  =  11.  So  in  one  sense  this  is  a  different  held,  but  it  has  exactly  the 
same  structure  as  the  previous  version,  only  the  names  have  been  changed  to  confuse  the 
innocent. 

The  polynomial  representation  idea  can  be  generalized.  For  any  finite  held  F  (of  char- 
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acteristic  p)  containing  a  snbfield  S,  where  S  is  of  order  r  =  p j  and  F  is  of  order  rk  =  p7  , 
then  the  elements  of  F  can  be  represented  as  polynomials  of  degree  less  than  k,  with  co¬ 
efficients  in  S  (i.e.,  polynomials  over  S ).  We  notate  this  view  of  the  held  as  F/S  (read  as 
F  “over”  S ).  Again,  addition  just  means  adding  the  coefficients  in  S ,  and  multiplication  is 
done  modulo  some  polynomial  q(x),  of  degree  k.  The  coefficients  of  q(x)  also  belong  to  S, 
with  the  leading  coefficient  equal  to  1,  and  q(x)  must  be  irreducible  over  S  (no  element  of 
S'  is  a  root).  For  example,  the  elements  of  GF( 56)  can  be  represented  as  polynomials  of  the 
form  C2X2  +  C1X  +  C0,  with  all  the  c,  G  GF( 52),  modulo  the  polynomial  q{x)  =  a:3  +  a:2  +  a;-|-3, 
which  is  irreducible  over  GF( 52). 

Since  the  names  of  the  elements  of  GF(pn )  change  with  choice  of  representation,  we 
might  wonder  if  the  elements  have  certain  properties  that  are  independent  of  representation, 
a  sort  of  identification.  One  such  property  is  the  minimal  polynomial  (over  GF(p))  of  a  given 
element  a.  This  is  the  irreducible  polynomial  of  smallest  degree,  with  coefficients  in  GF(p) 
and  leading  coefficient  =  1,  having  a  as  a  root.  The  degree  m  of  the  minimal  polynomial  is 
always  <  n,  and  that  minimal  polynomial  has  m  distinct  roots  in  GF(pn).  Elements  with  the 
same  minimal  polynomial  are  called  conjugates ;  if  one  of  them  is  a  then  the  m  conjugates  are 
{a,  ap,ap  , ,  apm  }.  Each  isomorphism  of  GF(pn)  corresponds  to  replacing  each  element  b 
by  If  (for  some  integer  k),  and  so  in  effect  rotates  each  set  of  conjugates.  For  any  primitive 
element,  the  minimal  polynomial  is  called  a  primitive  polynomial  and  has  degree  n.  (Note 
that  a  normal  basis  is  a  set  of  n  distinct  conjugates.)  In  GF( 22)  for  example,  the  minimal 
polynomial  for  0  is  x,  that  for  1  is  x  +  1,  and  the  one  for  hi  and  T  is  x2  +  x  +  1  (they  are 
conjugate  primitive  elements). 

Again,  these  ideas  can  be  extended  to  elements  of  F  —  GF(pn)  as  polynomials  over  any 
subheld  S  of  order  r  =  where  n  =  jk  for  some  k,  so  F  is  of  order  rk.  Then  each  element  a 
of  F  has  a  minimal  polynomial  over  S,  of  degree  m  <  k,  with  m  distinct  roots  in  F,  and  the 
m  conjugates  of  a  over  S  are  {a,  ar,  ar  , . . . ,  ar™  }.  Also  F/S  is  a  vector  space  of  dimension 
k  over  S,  and  a  normal  basis  is  a  set  of  k  distinct  conjugates. 

The  trace  of  a  over  S  is  then  defined  as 

Trp/s(a)  =  a  +  ar  +  ar  +  . . .  +  ar 


and  the  norm  is  defined  as 


N F/S(a)  =  a  •  ar  •  a”2  •  . . .  •  ar^ 

(If  the  minimal  polynomial  of  a  is  of  degree  k,  then  the  trace  is  the  sum  of  the  conjugates 
and  the  norm  is  the  product  of  the  conjugates.)  It  turns  out  that  both  the  trace  and  the 
norm  are  always  elements  of  the  subheld  S.  For  example,  in  GF{ 22)/  GF{ 2),  both  the  trace 
and  the  norm  of  hi  are  1. 

This  brief  introduction  to  Galois  helds  only  covers  the  points  relevant  to  the  algorithm 
below.  A  nice,  succinct  introduction  is  given  in  [4];  for  more  depth  and  rigor,  see  [3]. 

3  S-box  Algorithm 

The  S-box  function  of  an  input  byte  a  is  defined  by  two  substeps: 
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1.  Inverse:  Let  c  =  a  1,  the  multiplicative  inverse  in  GF{ 28)  (except  if  a  =  0  then  c  =  0). 

2.  Affine  Transformation :  Then  the  output  is  s  —  M  c  ©  b,  where  M  is  a  specified  8x8 
matrix  of  bits,  b  is  a  specified  byte,  and  the  bytes  c,  b,  s  are  treated  as  vectors  of  bits. 
More  explicitly: 


f  S7\ 

( 1 

1 

1 

1 

1 

0 

0 

0  ^ 

f  e7  \ 

fo\ 

s6 

0 

1 

1 

1 

1 

1 

0 

0 

c6 

1 

s5 

0 

0 

1 

1 

1 

1 

1 

0 

c5 

1 

Sa 

0 

0 

0 

1 

1 

1 

1 

1 

c4 

rw 

0 

S3 

1 

0 

0 

0 

1 

1 

1 

1 

c3 

W 

0 

S2 

1 

1 

0 

0 

0 

1 

1 

1 

c2 

0 

Si 

1 

1 

1 

0 

0 

0 

1 

1 

Cl 

1 

V  So  / 

V1 

1 

1 

1 

0 

0 

0 

\  c0  / 

V  1  ) 

where  bit  ff7  is  the  most  significant  and  all  bit  operations  are  modulo  2. 

The  second  substep  is  affine  (linear  plus  a  constant)  and  easy  to  implement;  the  algorithm 
for  the  first  substep,  finding  the  inverse,  is  described  below. 

The  AES  algorithm  uses  the  particular  Galois  held  of  8-bit  bytes  where  the  bits  are 
coefficients  of  a  polynomial  (i.e. ,  a  polynomial  basis),  and  multiplication  is  modulo  the 
irreducible  polynomial  q(x)  =  rr8  +  xA  +  x3  +  x  +  1.  (A  9-bit  binary  representation  is  q(x)  = 
100011011;  this  is  the  “smallest”  irreducible  polynomial  of  degree  8  over  GF( 2),  in  the  sense 
of  comparing  the  binary  number  representations.)  Let  A  be  one  root  of  q(x)*  we  will  think  of 
the  polynomial  basis  as  [A7,  A6,  A5,  A4,  A3,  A2,  A,  1],  It  turns  out  that  A  =  00000010  is  not  a 
primitive  element,  but  A+  1  =  00000011  is;  we  call  it  B.  (B  is  a  root  of  the  second  smallest 
irreducible  polynomial:  100011101;  see  Table  D.3  for  more  details.)  Some  implementations 
of  AES  use  logarithm  and  antilogarithm  tables,  base  B  (as  shown  in  Appendix  D),  for  Ending 
inverses  and  products  in  GF{ 28).  In  particular,  A  =  B25.  (Note:  we  will  use  Roman  letters 
for  specific  elements  of  GF{ 28),  lowercase  Greek  letters  for  elements  of  GF( 24),  and  uppercase 
Greek  letters  for  GF( 22);  the  naming  scheme  is  summarized  in  Table  D.3.) 

Direct  calculation  of  the  inverse  (modulo  an  eighth-degree  polynomial)  of  a  seventh- degree 
polynomial  is  not  easy.  But  calculation  of  the  inverse  (modulo  a  second-degree  polynomial) 
of  a  first-degree  polynomial  is  relatively  easy,  as  pointed  out  by  Rijmen  [10].  This  suggests 
the  following  changes  of  representation. 

First,  we  use  the  isomorphism  between  GF{ 28)  and  GF( 28)/ GF{ 24)  to  represent  a  general 
element  g  of  GF( 28)  as  a  polynomial  (in  y)  over  GF{ 24),  of  degree  1  or  less,  as  g  =  7i?/  +  7o, 
with  multiplication  modulo  an  irreducible  polynomial  r(y)  =  y2  +  ry  +  v.  Here,  all  the 
coefficients  are  in  GF( 24).  Then  the  pair  [71,70]  represents  g  in  terms  of  a  polynomial 
basis  [Y,  1]  where  Y  is  one  root  of  r(y).  Of  course,  we  are  free  to  use  any  basis  for  this 
representation,  for  example  the  normal  basis  [Y16,  Y].  Note  that 

r{y)  =  y2  +  Ty  +  v  =  {y  +  Y)(y  +  Y16) 

so  t  =  TrF256/Fl6(Y)  is  the  trace  and  u  =  NF256/Fl6(Y)  is  the  norm  of  Y. 

Second,  using  GF(24)  /  GF(22)  we  can  similarly  represent  GF( 24)  as  linear  polynomials 
(in  z)  over  GF( 22),  as  7  =  T \z  +  To,  with  multiplication  modulo  an  irreducible  polynomial 
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s(z)  =  z2  +  Tz  +  N,  with  all  the  coefficients  in  GF( 22).  Again,  this  uses  a  polynomial  basis 
[Z,  1]  for  GF( 24)/ GF( 22),  where  Z  is  one  root  of  s(^).  We  could  use  any  basis,  such  as  the 
normal  basis  [Z4,Z\.  And  for  the  same  reasons  above,  T  =  Tr f16/f4(^)  is  the  trace  and 
N  =  NFl6/F4(Z)  is  the  norm  of  Z  (considering  T  and  N  as  uppercase  Greek  for  r  and  u). 

Third  we  use  GF( 22)/ GF( 2)  to  represent  GF( 22)  as  linear  polynomials  (in  w)  over  GF( 2), 
as  T  =  giw  +  go,  with  multiplication  modulo  t(w)  =  w2  +  w  +  1,  where  gi,  go  G  {0, 1}.  This 
uses  a  polynomial  basis  [W,  1],  where  W  is  either  or  T;  a  normal  basis  would  be  [W2,  W ]. 
(Note  that  the  trace  and  norm  of  12  and  T  are  1.) 

This  allows  operations  in  GF{ 28)  to  be  expressed  in  terms  of  simpler  operations  in  GF( 24), 
which  in  turn  are  expressed  in  the  simple  operations  of  GF{ 22).  In  particular,  we  want  to 
hnd  the  inverse  in  GF( 28).  Say  the  inverse  of  g  =  ji y  +  70  is  d  —  5iy  +  5q.  Then  (recalling 
subtraction  is  the  same  as  addition  in  GF( 2”)) 

gd  =  {'yiy  + 'y0){Siy  +  S0)  mod  (y2  +  ry  +  u) 

=  [(71^1  )V2  +  (71^0  +  7o^i )y  +  (7o^o)]  mod  ( y 2  +  ry  +  v) 

=  [(71^1  )y2  +  (71^0  +  70^1  )y  +  (70$))]  +  (71^1  )(y2  +  ry  +  u) 

=  (71^0  +  70^1  +  71^1  T)y  +  (70^0  +  7i^w) 

=  1  =  0g  +  1 
Solving  the  two  equations 

0  =  71^0  +  (7o  +  7iT)^i 
1  =  7o^o  +  (7w)<^i 

by 

0  =  7i7o<fo  +  (7o  +  7i7or)^i 
7i  =  7i7o<5o  +  ('jlrfSi 

gives 

7i  =  +  7i7oT  +  7o)<*i 

7i^o  =  (7o  +  7iT)^i 

so  that 

<5i  =  {liv  +  7i7or  +  7o)_1  7i 

So  =  (7i^  +  7i7or  +  7o)~1  (7o  +  7ir) 

So  finding  an  inverse  in  GF{ 28)  involves  an  inverse  and  several  multiplications  in  GF(24). 
(Addition  in  GF( 24)  as  4-bit  elements,  using  any  basis,  is  just  bitwise  exclusive-or.) 
Similarly,  to  find  the  inverse  in  GF( 24)  of  7  =  Tiz  +  T0  as  5  =  A +  A0,  then 


7h  =  (TiAo  +  ToAi  +  TiAiT)z  +  (T0A0  +  riA1N) 


so 


(r^  +  rxroT  +  r^)-1  r, 

(rjN  +  r^oT  +  rl)-1  (r0  +  riT) 


Ax  = 

A0  = 

And  to  find  the  inverse  in  GF( 22)  of  Y  —  gxw  +  g0  as  A  =  d\W  +  d0,  then 
TA  =  (gido  +  god\  +  g\d\)w  +  (godo  +  gidi) 


so 


d\  ~  (dl  +  9i9o  +  do)  1  9i 
do  =  (gl  +  gigo  +  9o)  1  (do  +  9i) 

since  both  coefficients  (trace  and  norm)  in  the  polynomial  t(w)  are  1.  This  can  be  further 
simplified  because  for  g  e  GF( 2),  g2  =  g  [  =  g,  so 

d\  =  (,9i  +  9i9o  +  9o)  9\ 

=  ( 9i  +  9i9o  +  9i9o) 

=  9i 

do  —  (<?i  +  9i9o  +  9o)  (do  +  gi) 

=  (9i9o  +  9i+  9i9o  +  9i9o  +  9o  +  9i9o ) 

=  9i+9o 

Note  that  if  the  above  inversion  formulas  are  applied  to  a  zero  input  then  the  output  will 
also  be  zero,  so  that  special  case  is  handled  automatically. 

How  do  these  calculations  change  if  we  use  normal  bases  at  each  level?  In  GF( 28),  to 
find  the  inverse  of  g  —  71 F16  +  70  Y  as  d  —  Si  H16  +  Jo  A we  use  the  fact  that  both  Y  and  Y16 
satisfy  y2  +  ry  +  v  =  0  where  r  =  Y 16  +  Y  and  v  =  (' Y16)Y .  Then  1  =  r_1(F16  +  Y),  so: 

gd  =  (llY16+l0Y)(SiY16+50Y) 

=  (71J1  )(A16)2  +  (7lJo  +  7oJi)(A16)A  +  (7oJo)A2 

=  (7i^i)(tA16  +  v)  +  (71J0  +  7oJi)^  +  (7oJo)(^A  +  v) 

=  (7xJit)F16  +  (70  S0r)Y  +  [(7iJi)z/  +  (71J0  +  7oJi)^  +  (70^0)^)] 

=  (7iJir)A16  +  (7oJ0t  )Y  +  [(71  +  7o)(Ji  +  Jo)^_1(A16  +  Y) 

=  [71J1T  +  (71  +  7o)(Jx  +  J0)^T_1]y16  +  [70J0t  +  (71  +  7o)(Ji  +  Sq^t-^Y 

=  1  =  t-\Yw  +  Y ) 

Solving  the  two  equations 

T-1  =  71J1T+  (71  +7o)(Ji  +  So)yr~l 

r_1  =  70J0T+  (71  +7o)(Ji  +  Jo)^r_1 
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gives 


0  =  7161  +  7o<5o 
1  =  7151t2  +  (7i50  +  705i)i/ 

7o  =  7i7cA^2  +  (7i7o<^o  +  7q5i)^ 

=  7i7o^2  +  (7i^i  +  7o^i)^ 

=  [7i7o^2  +  (7 1  +  7oH<5i 

so  that 

<*i  =  [7i7or2  +  (7?  +  7o)z/]-1  7o 
<^o  =  [7i7or2  +  (7?  +  7o)z/]_1  7i 

Again,  finding  an  inverse  in  GF( 28)  involves  an  inverse  and  several  multiplications  in  GF( 24). 
Analogously,  to  find  the  inverse  in  GF( 24)  of  7  =  IfiZ4  +  T0Z  as  5  =  AjZ4  +  A 0Z,  then 

75  =  [r1A1r  +  (r1  +  ro)(A1  +  A0)Ar-1]z4  +  [r0A0r  +  (r1  +  ro)(A1  +  A0)Ar-1]z 

so 

a,  =  [r!r0T2  +  (r2  +  r2)A]_1  r0 
A0  =  [r!r0T2  +  (r2  +  r2)A]_1  r\ 

And  to  find  the  inverse  in  GF{ 22)  of  T  —  g\W2  +  g0W  as  A  =  diW2  +  doW,  then 

TA  =  [g\d\  +  (gi  +  00)  (<A  +  c?o)]hh2  +  [godo  +  (gi  +  00)  (<A  +  do)}W 


so 


d\  =  [0100  +  01  +  00]  0o 
=  0o 

^0  —  [0100  +  01  +  00 ]  01 
=  01 

using  the  same  simplifications  as  before  in  GF( 2). 

This  shows  how  we  break  one  problem  (the  8-bit  inverse  in  GF{ 28))  down  into  simpler 
problems  (4-bit  operations  in  GF{ 24)),  which  can  further  be  broken  down  to  still  simpler 
problems  (2-bit  operations  in  GF(22)  and  bit  operations  in  GF(2)). 

4  Optimizations 

There  are  several  ways  to  reorganize  the  calculations  above  in  order  to  reduce  the  total 
operation  count  and  hence  minimize  the  circuitry  required.  Additionally,  there  is  some 
freedom  in  the  choice  of  the  coefficients  in  the  minimal  polynomials  r(y)  and  s(z)  to  give 
convenient  multipliers. 
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Figure  1:  Polynomial  GF( 28)  inverter:  (7il/  +  7o)_1  =  (SiD  +  <S0)  Notes:  the  datapaths  all 
have  the  same  bit  width,  shown  at  the  output  (4  bits  here);  addition  is  bitwise  exclusive-OR; 
and  sub-held  multipliers  appear  below. 


Figure  2:  Polynomial  GF( 24)  inverter:  (T^TTo)  1  =  (Ajz  +  A0) 


The  inverse  formulas  in  GF{2S)  /  GF{24)  would  simplify  considerably  if  we  could  choose 
r  =  0  or  v  =  0,  but  neither  choice  gives  an  irreducible  polynomial.  We  can  find  irreducible 
polynomials  with  r  =  1,  which  is  also  convenient.  This  is  better  than  choosing  v  —  1,  since 
r  appears  in  two  products  in  the  inverse  (in  the  polynomial  basis,  but  even  for  the  normal 
basis  r  =  1  turns  out  to  be  preferable).  We  can’t  choose  both  v  —  r  —  1  since  then  we  get 
the  minimal  polynomial  of  ff  and  T  in  GF( 22),  a  subheld  of  GF( 24).  So  from  here  on  we  let 
r  =  1  and  similarly  let  T  =  1. 

4.1  Polynomial  Basis  Optimizations 

First  we  consider  optimizations  using  polynomial  bases.  In  GF(2S)  /  GF(24)  the  only  op¬ 
eration  required  is  the  inverse.  Satoh  et  al.  [12]  indicate  the  following  steps  in  inverting 
g  —  1\'U  +  7o,  where  we  return  to  the  ©,  ©  notation,  and  give  names  to  intermediate  results, 
to  clarify  the  subheld  operations  needed: 

4>  =  7i  ©  7o 

e  =  [(y  (g)  7i)  ©  (0  ©  7o)]_1 

g_1  =  [9  ©  7i \y  +  [9  ®  0] 

(Note:  in  the  notation  of  [12],  our  v  becomes  A  and  our  N  becomes  0.)  The  operations 
required  in  the  subheld  GF{24)/ GF{2 2)  include  an  inverter,  multipliers,  and  adders  (bitwise 
XOR);  see  Figure  1. 

The  subheld  inversions  can  be  performed  similarly,  as  suggested  by  [12],  So  to  invert 

7  =  r1z  +  r0  in  GF(24): 


4*  —  ©  Tq 

©  =  [(A©r2)©($©r0)]-1 

7-1  =  [0  ©  Fi]z  +  [0  ©  <f>] 
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Figure  3:  Polynomial  GF( 22)  inverter:  (giw  +  g0)  1  =  (diW  +  d0)  Note:  in  GF( 22)  inverting 
is  the  same  as  squaring. 


Figure  4:  Polynomial  GF( 24)  multiplier:  (Viz  +  r0)  ©  (A±z  +  A0)  =  ($12:  +  <3>0) 


(see  Figure  2).  And  in  GF( 22)  the  inverse  of  T  =  g\w  +  g0  is  simply: 

T”1  =  \g^w  +  [5-1  ©  g0] 

(see  Figure  3). 

The  multiplier  in  GF( 24)  given  by  [12]  finds  the  product  yh  =  (Viz  +  r0)(Aiz  +  A0)  by 
the  steps 


4*  —  Fg  ©  Ag 

7  s  =  [<f>®(r1©r0)©(A1©Ao)]^  +  [$®(A©r1©A1)] 


(see  Figure  4.)  Similarly  in  GF( 22),  the  product  TA  =  (g1w  +  g0)(d1w  +  d0)  can  be  found  by 


/  =  g0  <g>  d0 

TA  =  [/  ©  (gi  ©  g0)  ©  (d1  ©  d0)]w  +  [/  ©  (g1  ©  <A)] 

(where  in  GF(2),  ©  means  AND;  see  Figure  5). 

For  further  efficiency,  multiplication  by  a  known  constant  (e.g.  v  above),  which  we  will 
call  “scaling,”  should  use  a  specialized  circuit  instead  of  a  generic  multiplier,  and  the  same 
is  true  for  squaring. 

Scaling  7  =  Fiz  +  r0  in  GF(24)  by  v  =  A\z  +  A0  becomes  simpler  for  special  choices  of  u, 
for  example,  if  A0  =  0.  (It  is  not  possible  to  choose  Ai  =  0,  because  then  r(y)  is  reducible.) 
Then 


z/y  =  [A1®(r1©r0)]^  +  [(AAi)®r1] 

And  choosing  N  =  A]-1  makes  scaling  by  v  even  simpler: 

n  =  [(a-1)  ©  (ri©r0)]2  +  pA] 
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Figure  5:  Polynomial  GF{ 22)  multiplier:  (giw  +  go)  ©  (d\w  +  do)  =  (/iw  +  /o)  Note:  in 
GF(2),  multiplication  is  bitwise  AND. 


Figure  6:  Polyno-  Figure  7:  Polyno¬ 
mial  GF{  22)  w-scaler:  rnial  GF(  22)  tc2-scaler: 

(w)<8>(g1w+g0)  =  (d^w  +  do)  (w2)<S>(giW+g0)  =  (dow+do) 


In  GF{ 22),  since  A/-  7^  0, 1  (so  that  s(z)  =  z2  +  z  +  N  is  irreducible  over  GF( 22)),  then 
both  A"  and  A  +  1  are  roots  of  t(w)  =  w2  +  w  +  1,  and  A-1  =  N2  =  A  +  1.  Depending 
on  which  root  we  choose  for  the  polynomial  basis  [w,  1],  then  either  N  =  w  or  A 2  =  w.  In 
either  case,  since  we  need  scalers  for  both  A  and  N2,  this  corresponds  to  scalers  for  both  w 
and  w2,  and  scaling  becomes 

(w)  ©  {gxw  +  g0)  =  [gi  ©  g0]w  +  [g^ 

(■ w 2)  ©  (giw  +  g0)  =  [g0\w  +  [5-0  ©  9i] 

(see  Figures  6-7). 

Squaring  7  =  Y^z  ©  r0  in  GF( 24)  corresponds  to 

$  =  r2 

72  =  [$]z  +  [r2  ©  A  ©  $] 

Of  course,  squaring  V  =  g\w  +  go  in  the  subfield  GF( 22)  can  be  done  similarly,  using  further 
simplihcations  in  GF( 2): 

r2  =  \gx]w  +  [5-0  ©  gi] 

Note  that,  in  GF( 22),  every  nonzero  element  T  satishes  T3  =  1,  so  =  T2,  i.e.,  the  GF{ 22) 
inverter  is  the  same  as  the  squarer  (see  Figure  3). 

Another  improvement  comes  from  combining  the  square  in  GF( 24)  with  the  scaling  by  v, 
since  it  is  only  this  combination  that  is  required  in  the  GF( 28)  inverter.  Then  for  the  choice 
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gl  ■ 

©/  d‘ 

go  ■ 

d0 

Figure 

8:  Polynomial 

GF{  22) 

square-scaler: 

(w)®(g1w+g0)2  =  {dow+do) 

Note:  no 

gates  required. 

Figure  9:  Polynomial 

GF(  22)  square-scaler: 

(w2)  (giw  +  g0)2  = 

( d\W  +  do) 


of  v  above 

v  ®  y2  =  v  ®  (r^  +  r0)2 

=  v®  ([r2]^  +  [r2©iv©r2]) 

=  [n2®  (r?®  (r^®iv®r2))]^  +  [r2] 

=  [( n 2  + 1)  ©  r2  ©  n2  ®  r  l\z  +  [r2] 

=  [n  ®  r2  ©  n2  ®  r20\z  +  [r2] 

In  the  subfield  GF( 22),  combining  squaring  with  scaling  by  w  gives 

(w)  ®  T2  =  (w)  <8>  (g±w  +  go)2 

=  (w)  ®  {[gi]w+  [jo®fli]) 

=  \gi  ®  (go  ®  gi)]w  +  [gi] 

=  [go\w  +  [gi] 

(see  Figure  8)  so  this  combination  is  free  (being  just  a  swap  of  two  bits)!  This  suggests  that 
if  we  choose  w  =  N,  then 

u®72  =  [{n  ®  r2}  ©  n  ®  {n  ®  r20}]z  +  [iv2  ©  {n  ®  r2}] 

performs  this  combined  operation  with  one  addition  and  two  scalings  in  the  subheld,  since 
the  operations  in  {}  are  free.  Or,  if  instead  we  choose  w  =  N2  (see  Figure  9)  then 

u®^2  =  [iv2  ©  {iv2  ©  r2}  ©  {iv2  ©  r2}>  +  [iv©{iv2©r2}] 

again  requiring  only  one  addition  and  two  scalings. 

Also,  combining  the  multiplication  in  GF{ 22)  with  scaling  by  N  gives  a  small  improve¬ 
ment;  this  combination  appears  in  the  GF( 24)  multiplier.  If  N  =  w,  for  example,  the  scaled 
product  NT  A  =  w(giw  +  g0)(diw  +  d0 )  becomes 

/  —  (gi  ®  do)  ®  (di  ©  do) 

NT  A  =  [/  ©  (gi  ©  di)]w  +  [/  ©  (g0  ®  d0)] 

so  the  scaling  is  “free.” 
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Figure  10:  Normal  GF( 22)  inverter:  ( g{W 2  +  g^W)2  =  ( d\W 2  +  d0W)  Note:  no  gates 
required;  again,  in  GF{ 22)  inverting  is  the  same  as  squaring. 


Figure  11:  Normal  GF{ 28)  inverter:  (71Y 16  +  7qY)  1  =  (hxY16  +  <5qY) 


4.2  Normal  Basis  Optimizations 

Analogous  optimizations  are  available  using  normal  bases,  although  the  details  change.  For 
instance,  in  GF(2 2)  with  a  normal  basis  [W2,  W ]  the  squaring  operation  is  free: 

(giW2  +  g0W)2  =  g0W2  +  giW 

(see  Figure  10)  And  while  it  is  still  convenient  to  choose  r  =  1  and  T  —  1,  different  choices 
for  v  and  N  can  make  the  combination  of  squaring  and  scaling  in  GF{ 24)  efficient.  Here 
scaling  the  square  of  7  =  F\ZA  +  F0Z  by  v  =  Ai ZA  +  A0Z  gives 

z/©72  =  z/©{[r2©A©(r2©r2)]©4  +  [r2©A©(r2  +  r2)]©} 

=  [Ax  ©  (Tj  ©  N  ©  (r 2  ©  T2))  +  N{ Ax  +  A0)  ©  (r2  ©  T2)]©4 

+  [A0  ©  (r2  ©  n  ©  (r?  ©  r2))  +  jv(Ai  +  a0)  ©  (r?  ©  r  l)]z 

=  [(Ax  +  AA0)  ©  T2  ©  (AA0)  ©  T2]©4  +  [(AT Ax)  ©  T2  ©  (A0  +  JVAx)  ©  F20]Z 

This  can  be  made  more  efficient  by  choosing,  for  example,  Ax  =  N Ao,  giving 

z/©72  =  [(NA0)  ©  Tg]©4  +  [(AAX)  ©  ©  (A0  +  ATAx)  ©  Fl\Z 

=  [(AA0)  ©  r l\ZA  +  [(A2A0)  ©  T2  ©  ((A2  +  1)A0)  ©  F20]Z 
=  [(AA0)  ©  F20]Z4  +  [(A2A0)  ©  T2  ©  (NA0)  ©  F2\Z 

which  again  requires  only  two  scalings  and  an  addition  (note  the  common  sub-expression), 
since  squaring  is  free.  Also,  it  is  possible  to  choose  A0  =  N^1  to  save  one  scaling. 

The  top  level  inversion,  of  g  —  71 Y16  +  70  Y  in  GF( 28),  can  be  done  by 

0  =  [{v  ©  (71  ©  70)2}  ©  (71  <E>  7o)]_1 

9 -1  =  [#  ©  7o]T'16  +  [0  ©  7i]y 
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Figure  12:  Normal  GF( 24)  inverter:  (TjZ4  +  Y0Z)  1  =  (AiZ4  +  A0Z) 


Figure  13:  Normal  GF{ 24)  multiplier:  (T^4  +  T0Z)  ©  (A±Z4  +  A 0Z)  =  ($i A4  +  4>0Z) 


(see  Figure  11).  Similarly,  7  =  T1Z4  +  F0Z  in  GF( 24)  is  inverted  by 

0  =  [iv  ©  (rx  ©  r0)2  ©  (rx  ©  To)]'1 
7-1  =  [0©ro]A4  +  [0®  Ti]Z 

(see  Figure  12)  where  in  GF{ 22)  inversion  is  the  same  as  squaring,  which  is  free. 

In  GF( 24)  the  product  7 5  =  (r^4  +  r0Z)(A!Z4  +  A 0Z)  is  found  by 

$  =  A©(r1©r0)©(A1©Ao) 

75  =  [<f>  ©  (rx  ©  Ax)]A4  +  [<F  ©  (r0  ©  A0)\z 

(see  Figure  13)  And  in  GF( 22),  the  product  TA  =  (g\W2  +  g0W)(diW2  +  d0W)  corresponds 
to 

/  =  (91  ©  9o)  ®  (di  ©  d0) 

TA  =  [/©((?!  ©di)]lF2  +  [/©  (g0  ®d0)]W 


Figure  14:  Normal  GF( 22)  multiplier:  (giW2  +  g0W)  ©  (d^W2  +  cW)  =  (fiW2  +  /0IF) 
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Figure  15:  Normal  GF{ 22) 
w-scaler:  (W)  ®  ( giW 2  + 
g0W)  =  ( dxW 2  +  d0W ) 


Figure  17:  Normal 

GF{22)  square-scaler: 

(IF)  <g>  (g\W2  +  g0W)2  = 
(d\W2  +  d0W) 


Figure  16:  Normal  GF( 22) 
w2-scaler:  (IF2)  ®  ( giW 2  + 
SqVF)  =  (rfilF2  +  d0W ) 


Figure  18:  Normal 

GF{22)  square-scaler: 

(IF2)  ®  (fiqlF2  +  g0W )2  = 
(rfilF2  +  d0IF) 


(see  Figure  14)  Scaling  in  GF{ 22)  is  accomplished  by 


(W)  ®  (9lW2  +  g0W) 
(W2)  ®  (9lW2  +  g0W) 


=  [ gi®g0}W2  +  [gi}W 
=  [go}W2  +  [g0(Bgi}W 


(see  Figures  15-18) 

At  this  level  of  optimization,  the  smallest  GF( 28)  inverter  using  normal  bases  turns  out 
to  use  exactly  the  same  number  of  gates  as  the  smallest  polynomial  version.  However,  this 
does  not  account  for  further  optimizations  from  common  subexpressions  (discussed  below), 
nor  for  the  change  in  representation  (basis)  required  on  entering  and  leaving  the  S-box. 

4.3  Mixing  Basis  Types 

There  is  no  reason  why  the  three  bases,  for  GF( 28),  GF( 24),  and  GF( 22),  should  all  be 
polynomial  bases  or  all  be  normal  bases;  one  is  free  to  choose  either  type  of  basis  at  each 
level.  (Of  course,  one  could  choose  other  types  of  basis  at  each  level,  but  both  polynomial 
and  normal  bases  have  structure  that  leads  to  efficient  calculation,  which  is  lacking  in  other 
bases.)  We  have  seen  that  the  inverters  in  GF( 28)  for  both  types  of  basis  require  the  same 
number  and  type  of  operations  in  GF( 24),  and  similarly  for  the  inverters  in  GF( 24).  The 
multipliers  also  use  the  same  operations  for  both  types  of  bases;  the  same  is  true  for  the 
scalers  in  GF{22). 

In  GF( 22),  squaring  is  free  with  a  normal  basis,  while  the  combination  T2  is  free  with 
a  polynomial  basis.  Since  the  GF( 24)  inverter  needs  one  GF( 22)  inverter  (same  as  squaring) 
and  one  combo  N  ®  T2,  then  as  long  as  N  =  w  this  gives  no  preference  for  either  type  of 
basis. 

The  main  differences  then  are  in  the  combined  squaring-scaling  operation  required  by 
the  GF( 28)  inverters:  z/®y2.  The  details  vary  for  the  calculations  this  operation  requires  in 
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GF( 22),  depending  on  the  basis  types  and  the  relations  between  u,  N,  z,  and  w.  The  tables 
below  summarize  all  the  different  cases. 


Coefficients:  Polynomial  GF( 24)  Basis 

XOR  Gates 

v  = 

Cz  +  D 

v  ®  ( Az  +  B)2  = 

[(CN2  +  D)A2  +  CB2]z  +  [{C  +  D)NA2  +  DB2} 

poly.  GF{ 22) 

norm. 
GF(  22) 

w  =  N 

w  =  N2 

N 

0 

A2®N®B 2 

N2®  A2 

4 

5 

4 

N2 

0 

N  <g)  A2  ©  N2  <g>  B2 

A1 

4 

5 

4 

N 

N 

N2  ®  A2  ®  N  ®  B2 

N®B 2 

3 

4 

4 

N2 

N2 

A2  ®N2  <g>  B2 

N2®B 2 

4 

4 

3 

N 

1 

N®B2 

(A  ©  B)2 

3 

5 

3 

N2 

N 

N2®B 2 

N  ®  (A®  B)2 

3 

4 

4 

N 

N2 

N  ®  (A®  B)2 

N  ®  (A®  B)2  ©  B2 

5 

7 

5 

N2 

1 

N2®{A®B )2 

N2  ®  (A®  B)2  ©  N  ®  B2 

5 

6 

6 

Coefficients:  Normal  GF{ 24)  Basis 

XOR  Gates 

v  = 

Cz4  +  Dz 

v  ®  (Az4  +  Bzf  = 

[CA2+DN(A2+B2)\z4  +  [CN(A2+B2)+DB2}z 

poly.  GF( 22) 

norm. 
GF(  22) 

w  =  N 

w  =  N2 

N 

0 

N®  A2 

N2  ®  (A®  Bf 

3 

4 

4 

0 

N 

N2  ®  (A®  B)2 

N  ®  B2 

3 

4 

4 

N2 

0 

N2  ®  A2 

(A  ©  B)2 

4 

4 

3 

0 

N2 

(A  ©  B)2 

N2  ®  B2 

4 

4 

3 

N 

1 

N®B2 

N2  ®  A2  ®  N  ®  B2 

3 

4 

4 

1 

N 

N  ®  A2  ®  N2  ®  B2 

N  ®  A2 

3 

4 

4 

N2 

1 

A2  ®N  ®  B  2 

A2 

3 

5 

3 

1 

N2 

B2 

N  ®  A2  ®B2 

3 

5 

3 

The  first  table  is  for  a  polynomial  basis  in  GF( 24);  the  second  is  for  a  normal  basis.  The 
first  two  columns  show  the  coefficients  of  v  in  terms  of  N,  which  depends  on  the  bases  for 
GF( 24)  and  GF( 22).  (All  eight  possibilities  are  shown  for  both  tables,  although,  due  to  the 
symmetry  of  normal  bases,  the  second  table  essentially  has  only  four  cases,  each  shown  two 
ways.)  The  next  two  columns  show  the  coefficients  of  u®^2  that  need  to  be  calculated;  each  is 
expressed  in  a  form  to  suggest  a  compact  calculation.  The  last  three  columns  show  the  total 
number  of  XOR  gates  required  for:  a  polynomial  basis  for  GF(22)  with  w  =  N\  a  polynomial 
basis  for  GF( 22)  with  w  =  N2;  or  a  normal  basis  for  GF( 22).  Note  that  addition  in  GF(22) 
uses  two  XOR’s  while  scaling  uses  one.  These  numbers  incorporate  taking  advantage  of 
whichever  calculation  is  free  in  the  particular  GF(22)  basis,  and  include  this  adjustment:  for 
a  polynomial  basis  in  GF( 22)  with  w  =  N 2,  add  one  since  the  N  ®Y2  in  the  inverter  requires 
a  scaling. 

Altogether,  85  XOR’s  and  36  AND’s  are  needed  for  the  rest  of  the  calculation,  so  the 
inverter  could  include  from  88  to  92  XOR’s  (excluding  common  subexpression  optimizations 
below),  depending  on  basis  choice.  This  does  not  account  for  the  gates  needed  to  change 
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between  representations  (bases)  on  entering  and  exiting  the  S-box.  Since  there  is  only  a 
difference  of  4  XOR’s  between  the  smallest  and  largest  inverter  that  incorporate  the  above 
optimizations,  the  change  of  basis  can  play  an  important  role. 

4.4  Common  Subexpressions 

A  further  level  of  optimization  comes  from  finding  subexpressions  that  appear  more  than 
once  in  the  above  hierarchical  view  of  the  inverter.  Each  of  these  common  subexpressions 
need  only  be  computed  once,  thus  reducing  the  size  of  the  inverter. 

As  [12]  mentions,  one  place  this  occurs  is  when  the  same  factor  is  input  to  two  different 
multipliers.  Each  multiplier  needs  the  sum  of  the  high  and  low  halves  of  each  factor,  so 
a  shared  factor  saves  one  addition  in  the  subheld.  For  example,  a  2-bit  factor  shared  by 
two  GF( 22)  multipliers  saves  one  XOR.  Moreover,  since  each  GF( 24)  multiplier  includes 
three  GF(22)  multipliers,  then  a  shared  4-bit  factor  implies  three  corresponding  shared  2-bit 
factors.  So  each  shared  4-bit  factor  saves  five  XOR’s  (one  2-bit  addition  and  three  1-bit 
additions) . 

The  polynomial-basis  inverters  for  GF( 28)  and  GF( 24)  each  have  two  different  factors 
that  are  each  shared  between  two  multipliers  (which  appeared  as  (j)  and  6  in  GF( 24),  4>  and 
O  in  GF( 22)).  However,  each  of  the  corresponding  normal-basis  inverters  share  all  three 
factors  among  the  three  multipliers  (called  6 ,  y!  and  y0  in  GF( 24),  and  O,  Id  and  T0  in 
GF( 22)).  This  gives  a  significant  advantage  to  using  a  normal  basis  in  GF( 28),  since  the 
additional  shared  factor  in  the  GF( 28)  inverter  saves  five  more  XOR’s. 

Another  place  to  look  is  in  the  GF( 24)  square-scale  combination.  It  turns  out  that,  of 
the  36  variations  in  the  tables  (page  18),  a  repeated  sum  of  two  bits  can  be  found  in  10  cases 
(all  with  polynomial  GF( 24)  bases),  saving  one  XOR. 

A  more  subtle  saving  occurs  in  the  GF( 24)  inverter.  There  are  essentially  6  versions, 
depending  on  the  types  of  basis  for  GF( 24)  and  GF( 22),  and  for  a  polynomial  GF( 22)  basis 
whether  N  =  w  or  N  =  w2.  Each  case  can  be  improved  by  at  least  one  XOR,  and  in 
two  cases,  by  two  XOR’s.  These  improvements  all  involve  bit  sums  computed  for  common 
factors  being  combined  with  some  other  operations,  but  the  details  vary  from  case  to  case. 
For  example,  with  both  bases  polynomial,  combining  the  GF( 22)  inverter  with  finding  the 
sum  of  its  output  bits  (it’s  a  shared  factor)  saves  one  XOR.  Or  for  both  normal  bases, 
combining  the  sum  of  the  high  and  low  inputs  and  the  following  square-scale  operation  with 
the  bit  sums  of  the  high  and  low  inputs  (shared  factors)  again  saves  one  XOR. 

The  last  optimization  occurs  in  the  GF{ 28)  inverter,  combining  the  bit  sums  for  shared 
input  factors  with  parts  of  the  square-scale  operation.  Again  the  details  vary  with  the 
specifics  of  the  basis  choices.  All  36  versions  with  a  normal  GF{ 28)  basis  were  examined  (the 
others  have  a  5  XOR  handicap),  and  also  the  all-polynomial  version  corresponding  to  the 
bases  in  [12],  for  comparison.  The  resulting  improvement  ranges  from  three  to  five  XOR’s: 
for  most  cases  (23)  it  was  three,  for  a  dozen  cases  it  was  four,  and  it  was  five  in  only  two 
cases. 

While  all  these  additional  optimizations  apply  differently  to  the  various  basis  choices, 
they  tend  to  make  the  various  versions  more  similar  in  size,  with  one  exception:  the  extra 
shared  factor  in  the  normal  GF{ 28)  inverter  gives  an  advantage  of  five  XOR’s.  Hence  those 
cases  using  a  polynomial  basis  for  GF( 28)  are  effectively  uncompetitive.  The  smallest  (prior 
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to  these  optimizations)  inverter  saves  15  +  3  XOR’s  in  shared  factors,  1  more  in  the  GF{ 24) 
inverter,  and  3  more  in  the  GF( 28)  inverter,  giving  a  total  size  of  66  XOR’s  and  36  AND’s. 
(The  bases  of  [12]  give  an  inverter  with  73  XOR’s.) 

The  following  tables  show  the  size  of  the  inverter  when  all  of  these  optimizations  have 
been  applied;  in  addition  to  the  number  of  XOR’s  shown,  each  inverter  includes  36  AND’s. 


Poly. 

XOR  Gates 

v  = 

Cz  +  D 

poly.  GF{ 22) 

norm. 
GF(  22) 

w  =  N 

w  =  N2 

N 

0 

67 

67 

67 

N2 

0 

67 

67 

67 

N 

N 

67 

67 

67 

N2 

N2 

67 

67 
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N 

1 

67 

67 

67 

N2 

N 

67 

67 

67 

N 

N2 

68 

68 

67 

N2 

1 

67 

68 

67 

Norm. 

XOR  Gates 

v  = 

Cz4  +  Dz 

poly.  GF( 22) 

norm. 
GF(  22) 

w  =  N 

w  =  N2 

N 

0 

66 

66 

66 

0 

N 

66 

66 

66 

N2 

0 

66 

66 

66 

0 

N2 

66 

66 

66 

N 

1 

66 

66 

66 

1 

N 

66 

66 

66 

N2 

1 

66 

66 

66 

1 

N2 

66 

66 

66 

The  first  table  is  for  a  polynomial  GF{ 24)  basis,  the  second  for  a  normal  GF( 24)  basis;  both 
tables  assume  a  normal  basis  for  GF( 2s),  for  the  extra  shared  4-bit  factor.  It  is  apparent  that 
these  low-level  optimizations  tend  to  even  out  the  differences  expected  from  the  square-scale 
operation  (compare  with  the  tables  on  page  18).  Using  a  polynomial  GF{ 24)  basis  costs 
at  least  one  XOR  (one  less  shared  2-bit  factor),  and  a  few  cases  cost  one  more.  Because 
the  variation  in  the  inverter  size  is  so  small,  the  cost  of  changing  between  the  standard 
representation  and  the  S-box  basis  will  be  decisive. 

4.5  Logic  Gate  Optimizations 

Mathematically,  computing  the  Galois  inverse  in  GF( 28)  breaks  down  into  operations  in 
GF( 2),  i.e.,  the  bitwise  operations  XOR  and  AND.  However,  it  can  be  advantageous  to 
consider  other  logical  operations  that  give  equivalent  results. 

For  example,  for  the  0.13+t  CMOS  standard  cell  library  considered [13],  a  NAND  gate  is 
smaller  than  an  AND  gate.  Since  the  AND  output  bits  in  the  GF( 22)  multiplier  are  always 
combined  by  pairs  in  a  following  XOR,  then  the  AND  gates  can  be  replaced  by  NAND  gates. 
That  is,  [  (a  (£>  6)  ©  (c  <8>  d)  ]  is  equivalent  to  [  (a  NAND  b )  XOR  (c  NAND  d)  ].  This  gives  a 
slight  size  saving. 

Also,  in  this  library  an  XNOR  (not-exclusive-or,  which  really  should  be  called  NXOR) 
gate  is  the  same  size  as  an  XOR  gate.  This  is  useful  in  the  affine  transformation  of  the  S-box, 
where  the  addition  of  the  constant  b  =  0x63  requires  applying  a  NOT  to  some  of  the  output 
bits.  In  most  cases,  this  can  be  done  by  replacing  an  XOR  by  an  XNOR  in  the  bit-matrix 
multiply,  so  is  “free.”  But  in  some  cases,  such  as  when  an  output  bit  is  given  by  a  single 
input  bit,  the  negation  must  be  done  explicitly  with  a  NOT  gate. 

Note  that  the  combination  [a  ©  b  ©  (a  ®  b)  ]  is  equivalent  to  [a  OR  b].  In  the  few  places 
in  the  inverter  where  this  combination  occurs,  we  can  replace  2  XOR’s  and  an  AND  by  a 
single  OR,  a  worthwhile  substitution.  But  since  we  use  NAND’s,  as  mentioned  above,  then 
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the  replacement  would  be  a  NOR,  which  is  smaller  than  an  OR.  In  fact,  the  NOR  gate  is 
smaller  than  an  XOR  gate,  which  means  that  even  when  a  little  rearrangement  is  required 
to  get  that  combination,  it  is  worthwhile  even  if  the  NOR  ends  up  replacing  only  a  single 
XOR, 

These  gate-level  optimizations  apply  more  or  less  equally  to  the  different  bases  considered, 
so  play  only  a  minor  role  in  the  selection  of  a  particular  basis. 

5  Choices  of  Representation 

This  algorithm  involves  several  related  representations,  or  isomorphisms,  of  Galois  Fields. 
First,  GF( 28)  is  considered  as  the  set  of  bytes  with  the  polynomial  basis  implied  by  the 
irreducible  polynomial  q(x )  =  a;8  +  x4  +  a;3  +  x  +  1.  Then  GF(28) /  GF(24)  is  also  considered  as 
polynomials  with  coefficients  in  GF( 24),  based  on  the  irreducible  polynomial  r(y )  =  y2+yJrU. 
Similarly,  GF( 24)/ GF(22)  uses  a  basis  implied  by  the  irreducible  polynomial  s(z)  =  z2+z+N, 
and  GF( 22)/ GF( 2)  uses  a  root  of  t[w )  =  w2  +  w  +  1.  So  each  byte  of  information  has  two 
forms:  the  standard  AES  form  (polynomial  basis  in  8  powers  of  A),  and  the  subfield  form 
in  GF(28)  /  GF(24)  as  a  pair  of  4-bit  coefficients,  each  being  (in  GF(24)  /  GF(22))  a  pair  of 
two-bit  coefficients,  which  in  turn  are  coefficients  in  the  basis  for  GF( 22). 

One  approach  to  using  these  two  forms,  as  suggested  by  [11],  is  to  convert  each  byte  of  the 
input  block  once,  and  do  all  of  the  AES  algorithm  in  the  new  form,  only  converting  back  at 
the  end  of  all  the  rounds.  Since  all  the  arithmetic  in  the  AES  algorithm  is  Galois  arithmetic, 
this  would  work  fine,  provided  the  key  was  appropriately  converted  as  well.  However,  the 
MixColumns  step  involves  multiplying  by  constants  that  are  simple  in  the  standard  basis  (2 
and  3,  or  A  and  A  +  1),  but  this  simplicity  is  lost  in  the  subfield  basis.  For  example,  scaling 
by  2  in  the  standard  basis  takes  only  3  XOR’s;  the  most  efficient  normal-basis  version  of 
this  scaling  requires  18  XOR’s.  Similar  concerns  arise  in  the  inverse  of  MixColumns ,  used  in 
decryption.  This  extra  complication  more  than  offsets  the  savings  from  delaying  the  basis 
change  back  to  standard.  Then,  as  in  [12],  the  affine  transformation  can  be  combined  with 
the  basis  change  (see  below).  For  these  reasons,  it  is  most  efficient  to  change  into  the  subfield 
basis  on  entering  the  S-box  and  to  change  back  again  on  leaving  it. 

Each  change  of  basis  is  in  effect  multiplication  by  an  8x8  bit  matrix.  Letting  X  refer 
to  the  matrix  that  converts  from  the  subfield  basis  to  the  standard  basis,  then  to  compute 
the  S-box  function  of  a  given  byte,  first  we  do  a  bit-matrix  multiply  by  X-1  to  change  into 
the  subfield  basis,  then  calculate  the  Galois  inverse  by  subfield  arithmetic,  then  change  basis 
back  again  by  another  bit-matrix  multiply,  by  X.  But  this  is  followed  directly  by  the  affine 
transformation  (substep  2),  which  includes  another  bit-matrix  multiply,  by  the  constant 
matrix  M.  (This  can  be  regarded  another  change  of  basis,  since  M  is  invertible.)  So  we  can 
combine  the  matrices  into  the  product  M X  to  save  one  bit-matrix  multiply,  as  pointed  out 
by  [12],  Then  adding  the  constant  b  completes  the  S-box  function. 

The  inverse  S-box  function  is  similar,  except  the  XOR  with  constant  b  comes  first,  followed 
by  multiplication  by  the  bit  matrix  (MX)-1.  Then  after  finding  the  inverse,  we  convert  back 
to  the  standard  basis  through  multiplication  by  the  matrix  A". 

For  each  such  constant-matrix  multiply,  the  gate  count  can  be  reduced  by  “factoring  out” 
combinations  of  input  bits  that  are  shared  between  different  output  bits  (rows).  One  way  to 
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do  this  is  known  as  the  “greedy  algorithm,”  where  at  each  stage  one  picks  the  combination  of 
two  input  bits  that  is  shared  by  the  most  output  bits;  that  combination  is  then  pre-computed 
in  a  single  (XOR)  gate,  which  output  effectively  becomes  a  new  input  to  the  remaining  matrix 
multiply.  The  greedy  algorithm  is  straightforward  to  implement,  and  generally  gives  good 
results. 

But  the  greedy  algorithm  may  not  find  the  best  result.  We  used  a  brute- force  “tree 
search”  approach  to  finding  the  optimal  factoring.  At  each  stage,  each  possible  choice  for 
factoring  out  a  bit  combination  was  tried,  and  the  next  stage  examined  recursively.  Actually, 
some  “pruning”  of  the  tree  is  possible,  when  the  bit-pair  choice  in  the  current  stage  is 
independent  of  that  in  the  calling  stage  and  had  been  checked  previously.  Appendix  C  gives 
the  C  program. 

This  method  is  guaranteed  to  find  the  minimal  number  of  gates;  the  drawback  is  that 
one  cannot  tell  how  long  it  will  take,  due  to  the  combinatorial  complexity  of  the  algorithm. 
For  example,  running  on  an  Intel  Xeon  processor  under  Linux  (without  “pruning”),  one 
particular  8x8  matrix  took  over  2  weeks,  while  many  others  took  a  fraction  of  a  microsecond. 
(However,  many  of  the  matrices  that  took  very  long  times  had  already  been  ruled  poor 
candidates  by  the  greedy  algorithm,  and  could  have  been  skipped.) 

Using  the  “merged”  S-box  and  inverse  S-box  of  [12]  complicates  this  picture,  but  reduces 
the  hardware  required  overall  when  both  encryption  and  decryption  are  needed.  There,  a 
block  containing  a  single  GF( 28)  inverter  can  be  used  to  compute  either  the  S-box  function 
or  its  inverse,  depending  on  a  selector  signal.  Given  an  input  byte  a,  both  A"-1  a  and 
(MX)~l  (a+b)  are  computed,  with  the  first  selected  for  encryption,  the  second  for  decryption. 
That  selection  is  input  into  the  inverter,  and  from  the  output  byte  c,  both  (MX)  c  +  b  and 
X  c  are  computed;  again  the  first  is  selected  for  encryption,  the  second  for  decryption. 

With  this  merged  approach,  these  basis-change  matrix  pairs  can  be  optimized  together, 
considering  X -1  and  (MX)'1  together  as  a  16  x  8  matrix,  and  similarly  (MX)  and  X,  each 
pair  taking  one  byte  as  input  and  giving  two  bytes  as  output.  (Then  (MX)-1  (a  +  b)  must 
be  computed  as  (MX)-1  a  +  [(MX)-1  6].)  Combining  in  this  way  allows  more  commonality 
among  rows  (16  instead  of  8)  and  so  yields  a  more  compact  “factored”  form.  Of  course,  this 
also  means  the  “tree  search”  optimizer  has  a  much  bigger  task  and  longer  run  time.  (Note: 
this  is  what  actually  induced  our  development  of  the  “pruning”  strategy,  which  typically 
gives  a  speedup  factor  of  10  to  20  times  faster,  enough  to  make  full  optimization  feasible.) 

The  additive  constant  b  of  the  affine  transformation  (or  (MX)-1  b  for  decryption),  being 
an  exclusive-OR  with  a  known  constant,  just  requires  negating  specific  bits  of  the  output  of 
the  basis  change.  (Actually,  for  the  merged  S-box,  the  multiplexors  we  use  are  themselves 
negating,  so  it  is  the  bits  other  than  those  in  b  that  need  negating  first.)  As  mentioned  in 
Section  4.5,  this  usually  involves  replacing  an  XOR  by  an  XNOR  in  the  basis  change  (which 
is  “free”  since  both  XOR  and  XNOR  are  the  same  size  in  the  CMOS  library  we  consider), 
but  sometimes  this  is  not  possible  and  a  NOT  gate  is  required. 

At  this  time,  not  all  of  the  matrices  for  all  of  the  cases  considered  below  have  been  fully 
optimized,  but  the  data  so  far  indicate  how  full  optimization  can  improve  on  the  greedy 
algorithm.  For  the  architecture  with  separate  encryptor  and  decryptor,  all  cases  have  been 
fully  optimized:  of  1728  matrices  (8  x  8)  optimized,  762  (44%)  were  improved  by  at  least 
one  XOR,  and  of  those,  138  (18%  of  improved  ones)  were  improved  by  two  XOR’s,  and  11 
(1.4%  of  improved  ones)  were  improved  by  three  XOR’s.  For  the  merged  architecture,  the 
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top  27  cases  have  been  optimized:  of  55  matrices  (16  x  8)  optimized,  24  (44%)  were  improved 
by  one  XOR,  10  (18%)  were  improved  by  two  XOR’s,  and  6  (11%)  were  improved  by  three 
XOR’s,  so  altogether  73%  were  improved. 

We  considered  all  of  the  subfield  polynomial  and  normal  bases  that  had  a  trace  of  unity. 
Over  GF( 24),  there  are  eight  choices  for  v  that  make  r(y )  =  y2  +  y  +  v  irreducible,  namely 
the  four  elements  with  the  minimal  polynomial  (over  GF( 2))  x4  +  x3  +  1,  and  the  four 
elements  with  the  minimal  polynomial  x4  +  x3  +  x2  +  x  +  1.  There  are  only  two  choices 
for  N  that  make  the  polynomial  s(^)  =  z2  +  z  +  N  irreducible  over  GF( 22),  namely  the 
two  roots  of  t(w)  =  w2  +  w  +  1.  Each  of  these  polynomials  r(y),  s(z),  and  t(w)  has  two 
distinct  roots,  and  for  a  polynomial  basis  we  may  choose  either,  or  for  a  normal  basis  we 
use  both.  So  including  the  choices  for  v  and  N  and  the  type  of  basis  at  each  level,  there  are 
(8  x  3)  x  (2  x  3)  x  (1  x  3)  =  432  possible  cases.  (Note:  the  basis  used  in  [12]  corresponds  to 
case  number  252  in  Appendix  E.) 

The  most  compact  case  was  judged  to  be  the  one  giving  the  least  number  of  gates  for  the 
merged  S-box  architecture  of  [12],  where  a  single  inverter  is  shared  for  both  encryption  and 
decryption,  using  merged  bit  matrices  X~ 1  and  (MX)-1  before  the  inverter,  and  ( MX )  and 
X  after.  The  total  gates  include  the  two  optimized  16  x  8  matrices,  the  two  additions  of  the 
constant  b ,  one  inverter,  and  also  the  multiplexors.  As  it  happens,  the  case  giving  the  most 
compact  circuit  for  this  architecture  also  gives  the  most  compact  separate  encryptor  (with 
just  X~4,  inverter,  ( MX ),  and  b )  and  decryptor  (accounting  for  the  gate-level  optimizations 
of  Section  4.5). 

(The  envelope,  please...) 

The  winner  is  case  number  4  in  the  Appendix  E  table  of  all  the  cases.  Here  we  will 
specify  the  relevant  Galois  elements  in  three  forms:  by  our  naming  convention  summarized 
in  table  D.3,  by  decimal  and  by  hexadecimal  numbers  (in  C  notation),  which  refer  to  the 
representation  in  the  standard  basis  (in  powers  of  A).  This  case  uses  normal  bases  for  all 
subfields.  For  GF(28)/ GF(24),  the  norm  v  =  /38  =  236  =  OxEC,  and  y  =  d  =  255  =  OxFF, 
so  the  basis  is  [die,d]  =  [0xFE,0xFF]  (recall  that  for  each  of  the  normal  bases,  the  sum  of 
the  two  elements  is  the  trace,  which  is  unity).  For  GF(24)/GF(22),  N  =  H2  =  188  =  OxBC 
and  z  =  a2  =  92  =  0x5C,  so  the  basis  is  [a8,  a2]  =  [0x5D,0x5C].  And  for  GF( 22),  w  —  Q.  — 
189  =  OxBD,  so  the  basis  is  [fl2,H]  =  [0xBC,0xBD]. 

For  this  case,  v  =  N2z,  i.e.,  C  =  0  and  D  =  N 2  in  the  table  above,  so  this  inverter  is  the 
smallest,  consisting  of  66  XOR’s  and  36  AND’s.  Incorporating  the  gate-level  optimizations 
of  Section  4.5  changes  this  to  56  XOR’s,  34  NAND’s,  and  6  NOR’s.  The  optimized  ver¬ 
sions  of  the  merged  basis  change  matrices  have  the  following  numbers  of  XOR’s/XNOR’s: 
[X-1fe(MX)_1]  =  20,  [(MX)&X]  =  18.  Also,  the  additive  constants  of  the  affine  transfor¬ 
mation  require  2  NOT’s.  For  separate  encryptor  and  decryptor,  the  optimized  matrices  have 
these  sizes:  X~4  =  13,  MX  =  11,  X  =  13,  (MX)-1  =  12  (no  NOT’s  required). 

So  the  complete  merged  S-box  and  inverse,  including  inverter,  transformation  matrices, 
additive  constant  6,  and  multiplexors,  totals  94  XOR/XNOR’s  +  34  NAND’s  +  6  NOR’s  + 
2  NOT’s  +  16  MUX21I’s  (where  MUX21I  is  a  2:1  selector  and  inverter  [13]).  Using  the 
equivalencies  1  XOR/XNOR=  \  NAND  gates,  1  NOR-  1  NAND  gate,  1  NOT=  §  NAND 
gate,  and  1  MUX21I=  |  NAND  gates  [13],  this  S-box  is  equivalent  in  size  to  234  NAND’s, 
an  improvement  of  20%  over  the  merged  S-Box  of  [12]  at  294  NAND’s. 

If  separate  encryptors  and  decryptors  are  preferable,  then  the  S-box  includes  the  bit 
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matrices  X  1  and  MX  and  inverter,  totaling  80  XOR’s  +  34  NAND’s  +  6  NOR’s,  with 
equivalent  size  180  NAND’s;  the  inverse  S-box  uses  (MX)-1  and  X  and  inverter,  giving  81 
XOR’s  +  34  NAND’s  +  6  NOR’s,  of  size  181  f  NAND’s. 

Since  we  have  not  yet  fully  optimized  the  (16  x  8)  matrices  for  all  of  the  432  possible 
cases,  it  is  conceivable  that  one  of  the  other  cases  could  turn  out  to  be  better  than  case 
4.  We  have  optimized  all  cases  whose  estimated  size,  based  on  the  greedy  algorithm,  was 
within  9  XOR’s  of  the  optimized  size  of  case  4  (except  in  one  case,  where  only  1  of  the  2 
matrices  was  optimized;  it  improved  by  2  XOR’s).  So  far,  the  best  improvement  in  a  single 
16  x  8  matrix  is  3  XOR’s,  and  the  best  improvement  in  the  pair  of  matrices  for  a  single  case 
is  5  XOR’s.  For  some  other  case  to  be  best,  full  optimization  must  improve  a  matrix  pair, 
beyond  what  the  greedy  algorithm  found,  by  at  least  10  XOR’s.  We  consider  this  highly 
unlikely,  and  so  are  confident  that  case  4  is  indeed  the  best  of  all  432  cases. 


6  Implementation  Details 

For  the  change  of  basis  matrix,  we  want  to  change  an  element  g  of  GF( 28),  the  standard 
AES  representation  as  a  byte  of  8  bits  gt  G  GF( 2),  namely  fl,75,6fl,5fi,4fl,3fi,25'i5,o,  meaning  g7A7  + 
g$A6  +  g5A5  +  g4A4  +  g3A3  +  g2A2  +  g4A  +  g0,  into  the  new  basis.  Then  in  GF(28) /  GF(24), 
9  =  7W16  +  7o?/>  where  for  each  element  7  G  GF( 24)/ GF( 22),  we  have  7  =  T^4  +  r0z,  and 
each  element  V  G  GF( 22)  is  considered  a  pair  of  bits  bib0 ,  meaning  b4w2  +  b0w.  So  the  new 
byte  representation  b7bob3b4b3b2bib0  is  related  to  the  old  by 

97  A7  +  g&A&  +  g$A5  +  g4A 4  +  g3A3  +  g2A 2  +  g4A  +  go 
=  [( b7w 2  +  b6w)z4  +  ( b5w 2  +  b4w)z]y16  +  [( b3w 2  +  b2w)z4  +  ( b4w 2  +  b0w)z]y 
=  b7w2z4y 16  +  bewz4yw  +  b3w2zyw  +  b4wzy 16  +  b3w2zAy  +  b2wz4y  +  b\w2zy  +  b0wzy 

The  relevant  arithmetic  in  GF( 28)  (see  Appendix  D),  using  the  standard  A  polynomial 
basis  and  logarithms  base  B,  is:  y  =  OxFF  =  B7 ,  z  =  0x50  =  B34,  w  =  OxBD  =  B85, 
y16  =  B112  =  OxFE,  =  R136  =  0x5D,  w2  =  B170  =  OxBC,  w2z4y16  =  B418  =  B163  =  0x64, 
wz4y 16  =  B333  =  B78  =  0x78,  w2zyie  =  B 316  =  B61  =  0x6E,  wzy 16  =  £>231  =  0x80,  w2z4y  = 
B313  =  B58  =  0x68,  wz4y  =  B228  =  0x29,  w2zy  =  B2U  =  OxDE,  wzy  =  B126  =  0x60,  so 
these  become  the  columns  of  the  basis  change  matrix  X : 
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Then  the  reverse  change  of  basis  is  given  by  X  1  (modulo  2): 
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So  to  compute  the  S-box  function  of  a  given  byte,  first  we  do  a  bit-matrix  multiply  (by 
vY-1)  to  change  into  the  basis  for  GF(28) / GF(2A) / GF(22),  then  calculate  the  inverse.  Then 


change  basis  back  again  and  perform  the  affine  transformation,  through  another  bit-matrix 
multiply  by  MX: 


MX 


/  0  0  1 
1  0  0 
0  1  0 
1  0  1 
111 
loll 
0  0  1 
\  0  1  0 


0  1  0  0  0  \ 
0  10  0  0 
0  0  0  0  1 
0  10  0  0 
110  0  0 
0  110  1 
10  0  10 
10  0  10/ 


and  addition  of  the  constant  b. 


The  inverse  S-box  function  is  similar,  except  the  XOR  with  constant  b  comes  first.  Then 
comes  multiplication  by  the  bit  matrix 


(MX)-1 


/10010000X 
01010011 
0  1  0  1  0  0  0  0 
0  10  0  10  11 
1  1  0  1  0  0  0  0 
10100100 
0  0  0  1  1  0  0  1 
\01110011  / 


And  after  finding  the  inverse,  we  convert  back  to  the  polynomial  basis  through  multiplication 
by  the  matrix  X. 

The  optimized  versions  of  these  matrices  can  be  shown  in  product  form  to  indicate  the 
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factoring  out  of  common  bit  combinations,  as  follows: 


(mb 


(MX) 

X 


/0  000000000000011  0\ 
00000000000010000 
00000010000100000 
00000000101000000 
00000010010001000 
00000001000000000 
00000000000100000 
00000100000000001 


00000000010000000 
00010000000000010 
01010000000000000 
00000000000000001 
01000000010000000 
00000000000000100 
00010000000001000 
\0  0000010000010000/ 


0000100000000001 


/ _ L _ \ 

000100000001 
000010010000 
000001001000 
Vooooooioooio/ 

/0  0000000000100000  0\ 
000000001000000000 
000000000010000000 
000000000000100000 
000000000100100000 
000000000010000100 
000000000000001000 
000000000000000010 
000100100000000000 
000000100000000001 
000001000000000001 
010000100000000000 
000000000000000110 
100000000000001000 
000000000000010000 
\0  00001000000000000/ 


L _ \ 

10100000 
10010000 
\  0  1  0  0  0  0  0  1  / 


( _ L _ \ 

'  00010000000001 
00000100000100 
I  00000010010000 

Vooooooooooioio/ 


00100000001 


/. 


001000001000 

001000100000 


/ _ L _ \ 

10001000 

01010000 

01000001 

Vooioiooo/ 


where  a  horizontal  line  divides  each  matrix  into  two  blocks,  and  /  means  an  identity  matrix 
of  appropriate  size.  For  each  matrix  row,  the  number  of  l’s,  less  one,  is  the  number  of 
two-input  XOR  gates  needed  for  that  row. 

The  implementation  of  the  Galois  inverter  has  mostly  been  given  in  Section  4.2  above, 
since  normal  bases  are  used  at  each  level.  There  can  be  found  the  top-level  inverter,  the 
GF( 24)  inverter  and  multiplier,  the  GF( 22)  inverter  (square,  i.e.,  bit  swap),  multiplier,  and 
scalers  for  both  N  =  w2  and  N2  =  w.  The  combination  of  multiplication  with  scaling  by 
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Figure  19:  Normal  GF{ 24)  square-scale:  v  <©  (F\Z4  +  F 0Z)2  =  Ai A4  +  A 0Z 

N  —  w2  in  GF{22)  is  given  by 

/  =  9o  ®  do 

NT  A  =  [f  ©  ((5-1  ©0O)  ®  {di  ©  d0))]w2  +  [/  ©  (5-1  ®di)]w 

The  only  other  operation  required  is  the  square-scale  operator  in  the  normal  basis  GF( 24), 
as  shown  on  page  18  for  C  =  0  and  D  =  N2,  which  is 

u(Az 4  +  Hz)2  =  [(A  ©  B)2]za  +  [A2  ©  B2]z 
where  the  squaring  is  free  (see  Figure  19). 

Appendix  A  gives  a  C  program  that  implements  the  S-box  function  (and  its  inverse)  to 
illustrate  the  algorithm.  This  shows  the  hierarchical  structure  of  the  subfield  approach,  but 
does  not  include  the  low-level  optimizations  of  Section  4.4.  The  output  is  a  table  that  can  be 
compared  with  the  reference  version  in  the  file  boxes-ref.dat,  included  in  the  “Reference 
code  in  ANSI  C  v2.2.”  link  from  The  Rijndael  Page: 
http : //www. esat .kuleuven. ac . be/~rijmen/rijndael/ 

Appendix  B  gives  onr  compact  implementation  of  the  merged  S-box  and  inverse  as  a 
Verilog  module.  All  the  low-level  optimizations  of  Sections  4.4  and  4.5  are  shown.  These 
include:  pre-computing  sums  of  high  and  low  parts  of  common  factors  for  multipliers;  in  the 
GF{ 28)  inverter,  using  the  bit  sums  of  common  factors  to  replace  some  terms  in  the  scaled 
square  of  the  sum  of  high  and  low  inputs;  similarly  in  the  GF{ 24)  inverter;  using  NAND’s 
instead  of  AND’s,  and  replacing  some  XOR’s  and  NAND’s  by  NOR’s. 

We  sucessfully  tested  this  implementation  using  an  FPGA  (though  our  approach  is  really 
more  appropriate  for  ASIC’s).  Specifically,  we  used  an  SRC-6E  Reconfigurable  Computer, 
which  includes  two  Intel  processors  and  two  Virtex  II  FPGA’s.  As  implemented  on  one 
FPGA,  the  function  evaluation  takes  just  one  tick  of  the  100  MHz  clock,  the  same  amount 
of  time  needed  for  the  table  look-up  approach. 

We  also  implemented  a  complete  AES  encryptor/decryptor  on  this  same  system,  using 
our  S-box.  Certain  constraints  (block  RAM  access)  of  this  particular  system  prevent  using 
table  lookup  for  a  fully  unrolled  pipelined  version;  160  copies  of  the  table  (16  bytes/roundx  10 
rounds)  would  not  fit.  So  for  this  system,  our  compact  S-box  allowed  us  to  implement  a 
fully  pipelined  encryptor/decryptor,  where  in  the  FPGA,  effectively  one  block  is  processed 
for  each  clock  tick. 


7  Conclusion 

The  goal  of  this  work  is  an  algorithm  to  compute  the  S-box  function  of  AES,  that  can  be 
implemented  in  hardware  with  a  minimal  amount  of  circuitry.  This  should  save  a  significant 
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amount  of  chip  area  in  ASIC  hardware  versions  of  AES.  Moreover,  this  area  savings  could 
allow  many  copies  of  the  S-box  circuit  to  fit  on  a  chip,  enough  to  “unroll”  the  loop  of  10 
rounds.  This  in  turn  would  allow  the  AES  process  to  be  fully  pipelined,  increasing  the  rate 
of  throughput  significantly  (for  non-feedback  modes  of  encryption),  on  smaller  chips. 

This  algorithm  employs  the  multi-level  representation  of  arithmetic  in  GF{ 28),  similar  to 
the  previous  compact  implementation  of  Satoh  et  al[12].  Our  work  shows  how  this  approach 
leads  to  a  whole  family  of  432  implementations,  depending  on  the  particular  isomorphism 
(basis)  chosen,  from  which  we  found  the  best  one.  And  in  factoring  the  transformation  (basis 
change)  matrices  for  compactness,  rather  than  rely  on  the  greedy  algorithm  as  in  prior  work, 
we  fully  optimized  the  matrices,  using  onr  tree  search  algorithm  with  pruning  of  redundant 
cases.  This  gave  an  improvement  over  the  greedy  algorithm  in  73%  of  the  (16  x  8)  matrices 
that  we  optimized.  Also  new  is  the  detailed  description  of  this  nested-subfield  algorithm, 
including  specification  of  all  constants  for  each  choice  of  representation. 

Our  best  compact  implementation  gives  an  S-box  that  is  20%  smaller  than  the  previously 
most  compact  version  of  [12].  We  have  shown  that  none  of  the  other  431  versions  possible 
with  this  subfield  approach  is  as  small.  This  compact  S-box  could  be  useful  for  many  future 
hardware  implementations  of  AES,  for  a  variety  of  security  applications. 
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A  S-box  Algorithm  in  C 

/*  sbox.c 
* 

*  by:  David  Canright 

* 

*  illustrates  compact  implementation  of  AES  S-box  via  subfield  operations 

*  case  #  4  :  [d~16,  d] ,  [alpha~8,  alpha" 2] ,  [0mega"2,  Omega] 

*  nu  =  beta"8  =  N"2*alpha"2,  N  =  w"2 
*/ 

#include  <stdio.h> 

#include  <sys/types . h> 

/*  to  convert  between  polynomial  (A“7...1)  basis  A  &  normal  basis  X  */ 

/*  or  to  basis  S  which  incorporates  bit  matrix  of  Sbox  */ 
static  int 

A2X [8]  =  {0x98,  0xF3 ,  0xF2,  0x48,  0x09,  0x81,  0xA9,  OxFF}, 

X2A  [8]  =  {0x64,  0x78,  0x6E,  0x8C,  0x68,  0x29,  OxDE,  0x60}, 

X2S  [8]  =  {0x58,  0x2D ,  0x9E,  OxOB,  OxDC,  0x04,  0x03,  0x24}, 

S2X [8]  =  {0x8C ,  0x79,  0x05,  OxEB,  0x12,  0x04,  0x51,  0x53}; 

/*  multiply  in  GF(2"2),  using  normal  basis  (0mega"2, Omega)  */ 
int  G4_mul(  int  x,  int  y  )  { 
int  a,  b,  c,  d,  e,  p,  q; 

a  =  (x  &  0x2)  >>  1;  b  =  (x  &  0x1); 

c  =  (y  &  0x2)  >>  1;  d  =  (y  &  0x1); 

e  =  (a  ~  b)  &  (c  ~  d) ; 
p  =  (a  &  c)  e; 
q  =  (b  &  d)  ~  e; 
return  (  (p«l)  |  q  )  ; 

} 

/*  scale  by  N  =  0mega~2  in  GF(2~2),  using  normal  basis  (0mega~2, Omega)  */ 
int  G4_scl_N(  int  x  )  { 
int  a,  b,  p,  q; 

a  =  (x  &  0x2)  >>  1;  b  =  (x  &  0x1); 

P  =  b; 
q  =  a  ~  b; 

return  (  (p<< 1 )  |  q  )  ; 

} 

/*  scale  by  N~2  =  Omega  in  GF(2~2),  using  normal  basis  (0mega~2, Omega)  */ 
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int  G4_scl_N2(  int  x  )  { 
int  a,  b,  p,  q; 

a  =  (x  &  0x2)  >>  1;  b  =  (x  &  0x1); 

P  =  a  ~  b; 
q  =  a; 

return  (  (p<< 1 )  |  q  )  ; 

} 

/*  square  in  GF(2~2),  using  normal  basis  (0mega~2, Omega)  */ 

/*  NOTE:  inverse  is  identical  */ 
int  G4_sq(  int  x  )  { 
int  a,  b; 

a  =  (x  &  0x2)  >>  1;  b  =  (x  &  Oxl); 
return  (  (b«l)  |  a  ) ; 

} 

/*  multiply  in  GF(2~4),  using  normal  basis  (alpha~8,alpha~2)  */ 
int  G16_mul(  int  x,  int  y  )  { 
int  a,  b,  c,  d,  e,  p,  q; 

a  =  (x  &  OxC)  >>  2;  b  =  (x  &  0x3); 

c  =  (y  &  OxC)  >>  2;  d  =  (y  &  0x3); 

e  =  G4_mul (  a  ~  b ,  c  ~  d  )  ; 
e  =  G4_scl_N (e) ; 
p  =  G4_mul(  a,  c  )  ~  e; 

q  =  G4_mul(  b,  d  )  ~  e; 

return  (  (p<<2)  |  q  ) ; 

} 

/*  square  &  scale  by  nu  in  GF(2~4)/GF(2~2) ,  normal  basis  (alpha~8,alpha~2)  */ 
/*  nu  =  beta~8  =  N~2*alpha~2,  N  =  w~2  */ 
int  G16_sq_scl(  int  x  )  { 
int  a,  b,  p,  q; 

a  =  (x  &  OxC)  >>  2;  b  =  (x  &  0x3); 
p  =  G4_sq(a  ~  b) ; 
q  =  G4_scl_N2 (G4_sq(b) ) ; 
return  (  (p<<2)  |  q  ) ; 

} 

/*  inverse  in  GF(2~4),  using  normal  basis  (alpha~8 , alpha~2)  */ 
int  G16_inv(  int  x  )  { 

int  a,  b,  c,  d,  e,  p,  q; 
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a  =  (x  &  OxC)  >>  2;  b  =  (x  &  0x3); 
c  =  G4_scl_N(  G4_sq(  a  ~  b  )  ); 
d  =  G4_mul (  a ,  b  ) ; 

e  =  G4_sq(  c  ~  d  );  //  really  inverse,  but  same  as  square 

p  =  G4_mul (  e ,  b  ) ; 
q  =  G4_mul (  e ,  a  ) ; 
return  (  (p<<2)  |  q  ) ; 

> 

/*  inverse  in  GF(2~8),  using  normal  basis  (d~16,d)  */ 
int  G256_inv(  int  x  )  { 

int  a,  b,  c,  d,  e,  p,  q; 

a  =  (x  &  OxFO)  »  4;  b  =  (x  &  OxOF) ; 
c  =  G16_sq_scl(  a  ~  b  ) ; 
d  =  G16_mul (  a,  b  ) ; 
e  =  G16_inv(  c  ~  d  ) ; 
p  =  G16_mul (  e ,  b  ) ; 
q  =  G16_mul (  e ,  a  ) ; 
return  (  (p<<4)  |  q  ) ; 

} 

/*  convert  to  new  basis  in  GF(2~8)  */ 

/*  i.e.,  bit  matrix  multiply  */ 
int  G256_newbasis (  int  x,  int  b[]  )  { 
int  i,  y  =  0; 

for  (  i=7 ;  i  >=  0;  i —  )  { 
if  (  x  &  1  )  y  ~=  b  [i]  ; 
x  »=  1; 

} 

return  (  y  ) ; 

} 

/*  find  Sbox  of  n  in  GF(2~8)  mod  POLY  */ 
int  Sbox(  int  n  )  { 
int  t ; 

t  =  G256_newbasis (  n,  A2X  ); 
t  =  G256_inv(  t  ); 
t  =  G256_newbasis (  t,  X2S  ); 
return  (  t  0x63  ) ; 

} 
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/*  find  inverse  Sbox  of  n  in  GF(2~8)  mod  POLY  */ 
int  iSbox(  int  n  )  { 
int  t ; 


t  =  G256_newbasis (  n  ~  0x63,  S2X  ); 
t  =  G256_inv(  t  ); 
t  =  G256_newbasis (  t,  X2A  ); 
return  (  t  )  ; 

} 


/*  compute  tables  of  Sbox  &  its  inverse;  print  'em  out  */ 
int  main  ()  { 

int  Sbox_tbl [256] ,  iSbox_tbl [256] ,  i,  j; 

for  (i  =  0;  i  <  256;  i++)  { 

Sbox_tbl[i]  =  Sbox(i); 
iSbox_tbl  [i]  =  iSbox(i); 

} 

printf  ("char  S [256]  =  {\n"); 
for  (i  =  0;  i  <  16;  i++)  { 

for  (j  =  0;  j  <  16;  j++)  { 

printf  (  "°/03d,  ",  Sbox_tbl  [i*16+j] ) ; 

} 

printf  (  "\n"  ); 

} 

printf  (  ; \n\n"  ); 

printf  ("char  Si  [256]  =  {\n"); 
for  (i  =  0;  i  <  16;  i++)  { 

for  (j  =  0;  j  <  16;  j++)  { 

printf  (  "703d,  ",  iSbox_tbl  [i*16+j] ) ; 

} 

printf  (  "\n"  ); 

} 

printf  (  ; \n\n"  ); 

return(0) ; 

} 
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B  S-box  Algorithm  in  Verilog 

/*  S-box  using  all  normal  bases  */ 

/*  case  #  4  :  [d"16,  d] ,  [alpha"8,  alpha" 2] ,  [0mega"2,  Omega]  */ 

/*  beta"8  =  N"2*alpha"2,  N  =  w"2  */ 

/*  optimized  using  OR  gates  and  NAND  gates  */ 

/*  square  in  GF(2"2),  using  normal  basis  [Omega" 2, Omega]  */ 

/*  inverse  is  the  same  as  square  in  GF(2"2),  using  any  normal  basis  */ 
module  GF_SQ_2  (  A,  Q  ); 
input  [1:0]  A; 
output  [1:0]  Q; 

assign  Q  =  {  A[0]  ,  A  [1]  }; 
endmodule 

/*  scale  by  w  =  Omega  in  GF(2"2),  using  normal  basis  [Omega" 2 , Omega]  */ 
module  GF_SCLW_2  (A,  Q  ) ; 
input  [1:0]  A; 
output  [1:0]  Q; 

assign  Q  =  {  (A  [1]  A[0]),  A  [1]  >; 

endmodule 

/*  scale  by  w"2  =  0mega"2  in  GF(2"2),  using  normal  basis  [Omega" 2, Omega]  */ 
module  GF_SCLW2_2  (A,  Q  ) ; 
input  [1:0]  A; 
output  [1:0]  Q; 

assign  Q  =  {  A[0]  ,  (A  [1]  "  A[0])  >; 
endmodule 

/*  multiply  in  GF(2"2),  shared  factors,  using  normal  basis  [Omega" 2 , Omega]  */ 
module  GF_MULS_2  (  A,  ab,  B,  cd,  Q  ); 
input  [1:0]  A; 
input  ab ; 
input  [1:0]  B; 
input  cd ; 
output  [1:0]  Q; 
wire  abed,  p,  q; 

assign  abed  =  ~(ab  &  cd) ;  /*  note:  syntax  for  BAND  won't  compile  */ 

assign  p  =  ( ~ (A [1]  &  B[l]))  ~  abed; 

assign  q  =  ( ~ (A [0]  &  B[0]))  ~  abed; 

assign  Q  =  {  p,  q  >; 
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endmodule 


/*  multiply  &  scale  by  N  in  GF(2~2),  shared  factors,  basis  [0mega~2 , Omega]  */ 
module  GF_MULS_SCL_2  (  A,  ab,  B,  cd,  Q  ); 
input  [1:0]  A; 
input  ab ; 
input  [1:0]  B; 
input  cd; 
output  [1:0]  Q; 
wire  t,  p,  q; 

assign  t  =  ~ (A [0]  &  B[0]);  /*  note:  syntax  for  BAND  won’t  compile  */ 

assign  p  =  (~(ab  &  cd))  ~  t; 
assign  q  =  (~ (A [1]  &  B[l]))  t; 
assign  Q  =  {  p,  q  >; 
endmodule 


/*  inverse  in  GF(2~4) /GF(2~2) ,  using  normal  basis  [alpha~8,  alpha~2]  */ 
module  GF_INV_4  (  A,  Q  ); 
input  [3:0]  A ; 
output  [3:0]  Q ; 

wire  [1:0]  a,  b,  c,  d,  p,  q; 

wire  sa,  sb,  sd;  /*  for  shared  factors  in  multipliers  */ 


assign  a  =  A [3 : 2] ; 
assign  b  =  A  [1 : 0] ; 
assign  sa  =  a[l]  ~  a[0]  ; 
assign  sb  =  b  [1]  ~  b  [0]  ; 

/*  optimize  this  section  as  shown  below 
GF_MULS_2  abmul(a,  sa,  b,  sb,  ab) ; 

GF_SQ_2  absq(  (a  ~  b) ,  ab2) ; 

GF_SCLW2_2  absclN (  ab2,  ab2N) ; 

GF_SQ_2  dinv(  (ab  ~  ab2N) ,  d) ; 

*/ 

assign  c  =  {  /*  note:  ~|  syntax  for  NOR  won’t  compile  */ 

~ (a [1]  |  b [1] )  ~  (~ (sa  &  sb))  , 

~ (sa  |  sb)  ~  (~ (a[0]  &  b[0]))  >; 

GF_SQ_2  dinv(  c,  d)  ; 

/*  end  of  optimization  */ 
assign  sd  =  d [1]  ~  d [0] ; 

GF_MULS_2  pmul(d,  sd,  b,  sb,  p) ; 

GF_MULS_2  qmul(d,  sd,  a,  sa,  q) ; 
assign  Q  =  {  p,  q  }; 
endmodule 
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/*  square  &  scale  by  nu  in  GF(2~4)/GF(2~2) ,  normal  basis  [alpha~8,  alpha~2]  */ 
/*  nu  =  beta~8  =  N~2*alpha~2 ,  N  =  w~2  */ 
module  GF_SQ_SCL_4  (A,  Q  ) ; 
input  [3:0]  A ; 
output  [3:0]  Q ; 

wire  [1:0]  a,  b,  ab2,  b2,  b2N2; 

assign  a  =  A  [3 : 2] ; 
assign  b  =  A [1 : 0]  ; 

GF_SQ_2  absq(a  ~  b,ab2); 

GF_SQ_2  bsq(b,b2); 

GF_SCLW_2  bmulN2 (b2 ,b2N2) ; 
assign  Q  =  {  ab2,  b2N2  }; 
endmodule 

/*  multiply  in  GF(2~4)/GF(2~2) ,  shared  factors,  basis  [alpha~8,  alpha~2]  */ 
module  GF_MULS_4  (  A,  a,  Al,  Ah,  aa,  B,  b,  Bl,  Bh,  bb,  Q  ); 

input  [3:0]  A ; 

input  [1:0]  a; 

input  Al ; 

input  Ah ; 

input  aa; 

input  [3:0]  B ; 

input  [1:0]  b; 

input  Bl ; 

input  Bh ; 

input  bb ; 

output  [3:0]  Q ; 

wire  [1:0]  ph,  pi,  ps,  p; 

wire  t ; 

GF_MULS_2  himul (A [3:2] ,  Ah,  B[3:2],  Bh,  ph) ; 

GF_MULS_2  lomul (A [1:0],  Al,  B[1:0],  Bl,  pi); 

GF_MULS_SCL_2  summul(  a,  aa,  b,  bb,  p) ; 
assign  Q  =  {  (ph  p) ,  (pi  ~  p)  }; 
endmodule 

/*  inverse  in  GF(2~8) /GF(2~4) ,  using  normal  basis  [d~16,  d]  */ 
module  GF_INV_8  (  A,  Q  ) ; 
input  [7:0]  A ; 

output  [7:0]  Q ; 

wire  [3:0]  a,  b,  c,  d,  p,  q; 

wire  [1:0]  sa,  sb,  sd,  t;  /*  for  shared  factors  in  multipliers  */ 
wire  al,  ah,  aa,  bl,  bh,  bb,  dl,  dh,  dd;  /*  for  shared  factors  */ 
wire  cl,  c2,  c3;  /*  for  temp  var  */ 
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assign  a  =  A  [7 : 4] ; 
assign  b  =  A  [3 : 0] ; 
assign  sa  =  a  [3: 2]  a [1:0]; 
assign  sb  =  b[3:2]  b  [1 : 0]  ; 
assign  al  =  a [1]  ~  a[0] ; 
assign  ah  =  a  [3]  ~  a  [2]  ; 
assign  aa  =  sa[l]  ~  sa[0]  ; 
assign  bl  =  b [1]  ~  b  [0] ; 
assign  bh  =  b [3]  ~  b  [2] ; 
assign  bb  =  sb[l]  ~  sb[0]; 

/*  optimize  this  section  as  shown  below 

GF_MULS_4  abmul(a,  sa,  al,  ah,  aa,  b,  sb,  bl,  bh,  bb,  ab) ; 
GF_SQ_SCL_4  absq(  (a  “  b) ,  ab2) ; 

GF_INV_4  dinv(  (ab  ~  ab2) ,  d) ; 

*/ 

assign  cl  =  ~(ah  &  bh) ; 
assign  c2  =  ~(sa[0]  &  sb [0] ) ; 
assign  c3  =  ~(aa  &  bb) ; 

assign  c  =  {  /*  note:  ~|  syntax  for  NOR  won’t  compile  */ 

(~(sa[0]  I  sb[0])  "  (~  (a  [3]  &  b  [3] ) ) )  cl  ~  c3  , 

( ~  (sa  [1]  |  sb  [1] )  ~  (~  (a  [2]  &  b  [2]  )  ) )  cl  “  c2  , 

(“(al  I  bl)  ~  (~ (a [1]  &  b[l] )))  ~  c2  ~  c3  , 

(~(a[0]  |  b  [0] )  ~  (~  (al  &  bl)))  ~  (~(sa[l]  &  sb[l]))  ~  c2  >; 
GF_INV_4  dinv(  c,  d); 

/*  end  of  optimization  */ 

assign  sd  =  d  [3 : 2]  d  [1 : 0] ; 
assign  dl  =  d [1]  ~  d  [0] ; 
assign  dh  =  d  [3]  ~  d  [2]  ; 
assign  dd  =  sd[l]  ~  sd[0]; 

GF_MULS_4  pmul(d,  sd,  dl,  dh,  dd,  b,  sb,  bl,  bh,  bb,  p) ; 

GF_MULS_4  qmul(d,  sd,  dl,  dh,  dd,  a,  sa,  al,  ah,  aa,  q) ; 

assign  Q  =  {  p,  q  }; 
endmodule 

/*  MUX21I  is  an  inverting  2:1  multiplexor  */ 
module  MUX21I  (  A,  B,  s,  Q  ); 
input  A ; 

input  B ; 

input  s ; 

output  Q ; 

assign  Q=~(s?A:B);  /*  mock-up  for  FPGA  implementation  */ 

endmodule 

/*  select  and  invert  (NOT)  byte,  using  MUX21I  */ 
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module  SELECT_N0T_8  (  A,  B,  s,  Q  ); 
input  [7:0]  A ; 
input  [7:0]  B ; 
input  s ; 

output  [7:0]  Q ; 

MUX21I  m7 (A [7] ,B  [7] , s ,Q  [7] ) ; 

MUX21I  m6 (A [6] , B [6] , s , Q  [6] )  ; 

MUX21I  m5 (A [5] , B [5] ,  s ,  Q  [5] )  ; 

MUX21I  m4 (A [4] , B [4] ,  s ,  Q  [4] ) ; 

MUX21I  m3 (A [3] , B [3] , s , Q  [3] )  ; 

MUX21I  m2 (A [2] , B  [2] , s , Q  [2] ) ; 

MUX21I  ml (A [1] ,B  [1] , s , Q  [1] ) ; 

MUX21I  mO (A [0] , B [0] , s , Q  [0] )  ; 
endmodule 

/*  find  either  Sbox  or  its  inverse  in  GF(2~8),  by  Canright  Algorithm  */ 
module  bSbox  (  A,  encrypt,  Q  ); 
input  [7:0]  A ; 

input  encrypt;  /*  1  for  Sbox,  0  for  inverse  Sbox  */ 

output  [7:0]  Q ; 

wire  [7:0]  B,  C,  D,  X,  Y,  Z; 

wire  R1 ,  R2 ,  R3 ,  R4 ,  R5 ,  R6 ,  R7 ,  R8 ,  R9 ; 

wire  Tl,  T2,  T3,  T4,  T5,  T6,  T7,  T8,  T9,  T10; 

/*  change  basis  from  GF(2~8)  to  GF(2~8)/GF(2~4)/GF(2~2)  */ 

/*  combine  with  bit  inverse  matrix  multiply  of  Sbox  */ 


assign 

R1 

- 

A  [7] 

A  [5] 

assign 

R2 

= 

A  [7] 

~ 

1 - 1 

1 _ 1 

< 

< 

assign 

R3 

= 

A  [6] 

A  [0] 

assign 

R4 

= 

A  [5] 

~ 

CO 

< 

assign 

R5 

= 

A  [4] 

R4 

assign 

R6 

= 

A  [3] 

A  [0] 

assign 

R7 

= 

A  [2] 

R1 

assign 

R8 

= 

A  [1] 

R3 

assign 

R9 

= 

A  [3] 

R8 

assign 

B  [7] 

= 

R7 

~ 

00 

< 

assign 

B  [6] 

= 

R5 

J 

assign 

B  [5] 

= 

A  [1] 

R4 

assign 

B  [4] 

= 

R1 

~ 

CO 

< 

assign 

B  [3] 

= 

A  [1] 

R2 

assign 

B  [2] 

= 

~  A  [0] 

> 

assign 

B  [1] 

= 

R4 

J 

assign 

B  [0] 

= 

A  [2] 

“  R9 

assign 

Y  [7] 

= 

R2 

J 

assign 

Y  [6] 

= 

A  [4] 

R8 
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assign  Y[5]  =  A  [6]  ~  A  [4]  ; 
assign  Y[4]  =  R9  ; 
assign  Y[3]  =  A  [6]  R2  ; 
assign  Y [2]  =  R7  ; 
assign  Y [1]  =  A  [4]  R6  ; 

assign  Y[0]  =  A[l]  R5  ; 

SELECT_N0T_8  sel_in(  B,  Y,  encrypt,  Z  ); 

GF_INV_8  inv(  Z,  C  ); 

/*  change  basis  back  from  GF(2~8) /GF(2~4) /GF(2~2)  to  GF(2~8)  */ 


assign 

T1 

- 

C  [7] 

C  [3] 

assign 

T2 

= 

C  [6] 

C  [4] 

assign 

T3 

= 

C  [6] 

C[0] 

assign 

T4 

= 

C  [5] 

~ 

1 - 1 

CO 

1 _ 1 

o 

< 

assign 

T5 

= 

C  [5] 

~ 

~  T1 

assign 

T6 

= 

C  [5] 

~ 

> 

o 

1 — 1 

1 _ 1 

assign 

T7 

= 

C  [4] 

~ 

~  T6 

assign 

T8 

= 

C  [2] 

T4 

assign 

T9 

= 

C  [1] 

*"* 

T2 

assign 

T10 

= 

=  T3 

~  T5 

assign 

D  [7] 

= 

T4 

i 

assign 

D  [6] 

= 

T1 

J 

assign 

D  [5] 

= 

T3 

J 

assign 

D  [4] 

= 

T5 

} 

assign 

D  [3] 

= 

T2 

T5 

assign 

D  [2] 

= 

T3 

T8 

assign 

D  [1] 

= 

T7 

} 

assign 

D  [0] 

= 

T9 

i 

assign 

X  [7] 

= 

C  [4] 

~ 

~  C[l] 

assign 

X  [6] 

= 

C  [1] 

T10 

assign 

X  [5] 

= 

C  [2] 

T10 

assign 

X  [4] 

= 

C  [6] 

~ 

~  C[l] 

assign 

X  [3] 

= 

T8 

T9 

assign 

X  [2] 

= 

C  [7] 

~ 

~  T7 

assign 

X[l] 

= 

T6 

J 

assign 

X[0] 

= 

~  C  [2] 

) 

SELECT_N0T_8  sel_out(  D,  X,  encrypt,  Q  ); 
endmodule 

/*  test  program:  put  Sbox  output  into  register  */ 
module  Sbox_r  (  A,  S,  Si,  CLK  ); 
input  [7:0]  A ; 
output  [7:0]  S ; 
output  [7:0]  Si; 

input  CLK  /*  synthesis  syn_noclockbuf =1  */  ; 
reg  [7:0]  S; 
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reg  [7:0]  Si; 

wire  [7:0]  s; 

wire  [7:0]  si; 

bSbox  sbe (A, 1 , s) ; 

bSbox  sbd(A,0,si); 

always  @  (posedge  CLK)  begin 

S  <=  s; 

Si  <=  si; 
end 

endraodule 
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C  Bit-Matrix  Optimizer  in  C 

/*  bestboth.c 
* 

*  by:  David  Canright 

* 

*  for  each  input  basis,  and  each  of  4  transformation  matrices, 

*  takes  bit  matrix  and  finds  equivalent  with  minimum  #  of  gates 

*  combining  both  input  matrices,  and  both  output  matrices 

*  NOTE:  matrix  input  order  is:  [A2X,  X2A,  X2S,  S2X] 

* 

*  input  should  have  lines  of  the  form: 
hexstring  num 

*  where  hexstring  contains  all  4  matrices,  num  is  an  ID#,  e.g.: 

98F3F2480981A9FF64786E8C6829DE60582D9E0BDC0403248C7905EB 12045 153  4 

*  for  which  the  output  should  be: 

basis  #  4: 

A2X :  98F3F2480981A9FF  S2X :  8C7905EB12045153 
ncols  =  8,  gates  =  42 

A2Xb :  0000000000012804100810224008808001 
S2Xb :  0028006200000100008800000102044010 

[0,2],  [0,3],  [1,7],  [2,10],  [3,11],  [4,7],  [5,8],  [6,10],  [4,15], 

ncols  =  17,  gates  =  20 

X2S :  582D9E0BDC040324  X2A :  64786E8C6829DE60 
ncols  =  8,  gates  =  38 

X2Sb :  000000000000000040082480180002040100 
X2Ab :  04 100080002 1D00000000000000204080860 

[0,4],  [1,3],  [1,7],  [2,4],  [2,8],  [2,6],  [3,13],  [5,11],  [6,9],  [10,12], 

ncols  =  18,  gates  =  18 
***bestgates  4  =  38  =  20  +  18 

*  which,  for  each  matrix  pair,  shows  the  original  versions  (8  columns), 

*  the  optimized  versions,  and  a  list  of  index  pairs  for  precomputed  XORs, 

*  which  correspond  to  new  columns.  Also  shown:  #  X0R  gates  required. 

*  Note:  a  "quick"  test  case  is: 

F1261450CA86D330C502A8BF412B3590352582D03974323C65C4836C69953380  0 

* 

*  uses  pruning  algorithm  to  eliminate  redundant  cases;  minimal  memory  copying 
*/ 

#include  <stdio.h> 

#include  <string.h> 

#define  N  8 

/*  gatematrix  is  a  structure  with  an  array  of  16-bit  columns, 
list  of  indices  (used  in  pairs),  number  of  columns,  and  number  of  gates*/ 
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typedef  struct  gatematrix 

{  unsigned  int  mat [128];  char  ind[256] ;  int  n;  int  g;  } 
GateMat ; 

static  unsigned  int  share [65536] ; 
static  GateMat  test; 

/*  blockPrint  prints  columns  and  index  pairs  for  matrix  pair  */ 
void  blockPrint  (GateMat  *p,  const  char  *tagl,  const  char  *tag2) 

{ 

int  i ; 

printf  ("°/„6s :  ",  tagl) ; 
for  (i  =  0;  i  <  p->n;  i++) 

printf  ("°/002X",  (p->mat  [i] )  &  OXFF  ); 
if  ( (p->n)  >  N)  printf  ("\n"); 
printf  ("°/06s:  ",  tag2) ; 
for  (i  =  0;  i  <  p->n;  i++) 

printf  ( "°/002X" ,  ((p->mat[i])  &  0XFF00)  »  8  ); 
if  ( (p->n)  >  N)  printf  ("\n"); 
for  (i  =  0;  i  <  (p->n)-N;  i++) 

printf  ("  [°/„ld,y„ld]  ,  ",  p->ind[2*i]  ,  p->ind  [2*i+l] ) ; 
printf  ("\n  ncols  =  °/02d,  gates  =  °/02d\n" ,  p->n,  p— >g)  ; 

}  /*  end  blockPrint  */ 

/*  copyMat  copies  from  one  to  another*/ 
void  copyMat  (GateMat  *p,  GateMat  *q) 

{ 

int  i,  n; 
n  =  q->n  =  p->n; 

q->g  =  p->g; 

memcpy(  q->mat,  p->mat,  n  *  sizeof (unsigned  int)); 
memcpy(  q->ind,  p->ind,  (n  -  N)*2); 

}  /*  end  copyMat  */ 

/* 

*  bestgates  is  recursive: 

*  takes  current  matrix,  tries  all  possibilities  of  adding  a  gate 

*  returns  best  #  of  gates 

*  p  points  to  test  matrix  on  input,  and  used  to  store  output. 

*  tree  search  is  pruned  if  this  set  of  columns  previously  tried 
*/ 

void  bestgates  () 


42 


char  indb  [256] ; 
int  gb,  nb,  ci,  c j ; 
int  i,  j,  n,  c,  g,  io,  jo; 
int  run ,  np ,  n2 ,  n2p ,  t ; 

gb  =  1024;  /*  best  #  gates,  start  high  */ 

n  =  test.n;  g  =  test.g; 

nm=n-l;  np=n+l;  n2=2*(n-N);  n2p=n2+l; 

if  (n==N)  io=jo=0;  /*  if  orig  matrix,  no  "old"  index  pair  */ 

else  {  io  =  (test . ind [n2-2] ) ;  jo  =  (test . ind [n2-l] ) ;  } 

for  (i=0 ; i<nm; i++)  /*  for  each  pair  of  columns  */ 

for  (j=i+l; j<n; j++)  { 

c  =  (test .mat [i] )  &  (test .mat [j] ) ; 

if  (t=share [c] )  {  /*  if  can  share  a  gate  */ 

if  (i<io  &&  j!=io  &&  j!=jo  &&  j<nm)  /*  if  prior,  indep.  pair  */ 
continue;  /*  then  been  there,  done  that;  skip  to  next  j  */ 
test.n  =  np; 
test.g  =  g  -  t; 

ci  =  test .mat [i] ;  /*  save  current  columns  */ 

cj  =  test  .mat  [j]  ; 

test. mat [i]  ~=  c;  /*  update  to  new  columns  */ 

test,  mat  [j]  ~=  c; 

test.mat[n]  =  c; 

test. ind  [n2]  =  i; 

test . ind [n2p]  =  j; 

bestgatesO;  /*  recurse  with  new  matrix  */ 

test. mat [i]  =  ci;  /*  restore  current  columns  */ 
test  .mat  [j]  =  cj  ; 

if  (  test.g  <  gb  )  {  /*  if  best  yet,  save  data  */ 

memcpy(  indb,  test.ind+n2,  (test.n  -  n)*2); 
nb  =  test.n; 
gb  =  test.g; 

} 

} 

}  /*  end  columns  loop  */ 

if  (gb  <  1024)  {  /*  if  improved,  return  best  data  */ 

memcpy(  test.ind+n2,  indb,  (nb  -  n)*2); 
test.n  =  nb; 
test.g  =  gb; 

} 

/*  else  {printf  ("%3d  [°/„2d] "  ,n,g) ;  ff  lush(stdout) ; }  */ 

}  /*  end  bestgates  */ 

/*  bestmat  reconstructs  best  matrix  */ 
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void  bestmat  (GateMat  *p) 

{ 

int  i ,  j ,  n,  c ; 

int  nm,  np,  n2,  n2p,  t; 

GateMat  best ; 

n  =  test.n; 
p->g  =  test .g; 

for  (i=0 ; i<N; i++)  test.mat[i]  =  p->mat [i] ; 

for  (n=0;n<(test .n-N) ;n++)  { 

i  =  test . ind [n*2] ; 

j  =  test . ind [n*2+l]  ; 

c  =  (test .mat [i] )  &  (test .mat [j] ) ; 

test. mat [i]  ~=  c; 

test,  mat  [j]  ~=  c; 

test .mat [n+N]  =  c; 

} 

}  /*  end  bestmat  */ 

/*  main  */ 

int  main(  int  argc,  char  *argv[]  ){ 
char  line [256]; 

char  name [4] [4]  =  {"A2X" ,  "X2S" ,  "S2X",  "X2A" ,  }; 

char  bname [4] [5]  ={"A2Xb",  "X2Sb",  "S2Xb",  "X2Ab\  >; 

long  int  i,  j,  k,  n,  nid,  gt; 

unsigned  u; 

int  InitMat [32]  ; 

GateMat  orig[2]; 

/*  share [i]  is  initialized  to  0  if  #  bits  <  2  */ 
share [0]  =  0; 
for  (i=l ; i<65536; i++)  { 
k=0 ; 

for  (j=i&0xFFFF;  j;  j  »=1)  k  +=  j&l; 
share [i]  =  k— 1 ; 

} 

while  (  fgets(  line,  256,  stdin  )  ==  line  )  { 

for  (  i=0;  i  <  32;  i++  )  {  /*  read  matrices,  ID  number  */ 

sscanf(  line+2*i,  "7„02X" ,  &u  ); 

InitMat [i]  =  u; 

} 

sscanf(  line+65,  "°/„d" ,  &nid  ); 
printf ("\nbasis  #7„3d:\n",  nid); 
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/*  NOTE:  matrix  input  order  is:  [A2X,  X2A,  X2S,  S2X]  */ 

for  (i=0 ; i<8 ; i++)  {  /*  combine  input  pair;  combine  output  pair  */ 

(orig[0] )  .mat  [i]  =  InitMat  [8*0+i]  |  (InitMat [8*3+i]  «8)  ; 
(origtl] )  .mat  [i]  =  InitMat  [8*2+i]  |  (InitMat  [8*l+i]  «8)  ; 

> 


gt  =  0; 

for  (k=0;k<2;k++)  {  /*  for  each  matrix  pair  */ 

(orig[k]).n  =8;  /*  initialize  #  columns,  #  gates  */ 

for  (i=j=0;  i<8;  i++)  j  +=  share [  (orig[k] ) .mat [i]  ]; 
(orig[k] )  .g  =  j  -  8; 

blockPrint  (&(orig[k]),  name [k] ,  name [k+2] ) ; 
f f lush(stdout) ; 

copyMat (&(orig [k] ) ,  &test) ; 
bestgatesO;  /*  optimize  */ 
bestmat (& (orig  [k] ) ) ; 

blockPrint  (&test,  bname  [k] ,  bname  [k+2] ) ; 
f f lush(stdout) ; 

gt  +=  test.g;  /*  total  #  gates  */ 

} 

printf ("***bestgates  703d  =  %5d  =°/05d  +%5d\n", 

nid,  gt,  (orig [0] ) . g,  (origtl]). g  ); 
f f lush(stdout) ; 

} 

return(O) ; 

}  /*  end  main  */ 
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D  Tables  for  GF( 28) 

D.l  Logarithm  Table 

For  each  number  in  decimal,  hexadecimal,  and  binary,  gives  the  logarithm  base  B  in  GF( 28), 
using  the  polynomial  basis  from  the  root  A  of  q{x)  =  x8  +  x4  +  x3  +  x  +  1,  where  B  —  A  +  1. 
(See  Table  D.3  for  an  explanation  of  the  names.) 


dec 

hex 

binary 

logs 

name 

0 

00 

00000000 

— oo 

0 

1 

01 

00000001 

0 

1 

2 

02 

00000010 

25 

A 

3 

03 

00000011 

1 

B 

4 

04 

00000100 

50 

A2 

5 

05 

00000101 

2 

B 2 

6 

06 

00000110 

26 

C 2 

7 

07 

00000111 

198 

]?64 

8 

08 

00001000 

75 

EM 

9 

09 

00001001 

199 

D8 

10 

0A 

00001010 

27 

F 

11 

0B 

00001011 

104 

C 8 

12 

OC 

00001100 

51 

7 

13 

0D 

00001101 

238 

P 

14 

0E 

00001110 

223 

bX2 

15 

OF 

00001111 

3 

K 

16 

10 

00010000 

100 

A4 

17 

11 

00010001 

4 

B4 

18 

12 

00010010 

224 

di2 

19 

13 

00010011 

14 

d2 

20 

14 

00010100 

52 

C 4 

21 

15 

00010101 

141 

F1‘2S 

22 

16 

00010110 

129 

K 128 

23 

17 

00010111 

239 

bw 

24 

18 

00011000 

76 

9 4 

25 

19 

00011001 

113 

J16 

26 

1A 

00011010 

8 

B8 

27 

IB 

00011011 

200 

A8 

28 

1C 

00011100 

248 

D 

29 

ID 

00011101 

105 

E8 

30 

IE 

00011110 

28 

d4 

31 

IF 

00011111 

193 

d«A 

dec 

hex 

binary 

logs 

name 

32 

20 

00100000 

125 

Rm 

33 

21 

00100001 

194 

34 

22 

00100010 

29 

f2 

35 

23 

00100011 

181 

h2 

36 

24 

00100100 

249 

k'1 

37 

25 

00100101 

185 

a! 54 

38 

26 

00100110 

39 

OO 

39 

27 

00100111 

106 

M 128 

40 

28 

00101000 

77 

Mw 

41 

29 

00101001 

228 

f 

42 

2A 

00101010 

166 

M8 

43 

2B 

00101011 

114 

fm 

44 

2C 

00101100 

154 

M'62 

45 

2D 

00101101 

201 

f2 

46 

2E 

00101110 

9 

l 

47 

2F 

00101111 

120 

F8 

48 

30 

00110000 

101 

m32 

49 

31 

00110001 

47 

ci6 

50 

32 

00110010 

138 

N 128 

51 

33 

00110011 

5 

r 

52 

34 

00110100 

33 

l32 

53 

35 

00110101 

15 

T 

54 

36 

00110110 

225 

F‘ii 

55 

37 

00110111 

36 

l4 

56 

38 

00111000 

18 

l 2 

57 

39 

00111001 

240 

58 

3A 

00111010 

130 

r128 

59 

3B 

00111011 

69 

N 64 

60 

3C 

00111100 

53 

61 

3D 

00111101 

147 

/4 

62 

3E 

00111110 

218 

h 

63 

3F 

00111111 

142 

jw 

46 


dec 

hex 

binary 

logs 

name 

64 

40 

01000000 

150 

A128 

65 

41 

01000001 

143 

DUj 

66 

42 

01000010 

219 

L4 

67 

43 

01000011 

189 

IF  4 

68 

44 

01000100 

54 

F2 

69 

45 

01000101 

208 

Cw 

70 

46 

01000110 

206 

Gw 

71 

47 

01000111 

148 

Ha 

72 

48 

01001000 

19 

9 

73 

49 

01001001 

92 

J4 

74 

4A 

01001010 

210 

Ew 

75 

4B 

01001011 

241 

D2 

76 

4C 

01001100 

64 

Bm 

77 

4D 

01001101 

70 

A,i 

78 

4E 

01001110 

131 

d128 

79 

4F 

01001111 

56 

d8 

80 

50 

01010000 

102 

72 

81 

51 

01010001 

221 

P 

82 

52 

01010010 

253 

b2 

83 

53 

01010011 

48 

Kw 

84 

54 

01010100 

191 

664 

85 

55 

01010101 

6 

K2 

86 

56 

01010110 

139 

J128 

87 

57 

01010111 

98 

9i2 

88 

58 

01011000 

179 

G4 

89 

59 

01011001 

37 

H 

90 

5A 

01011010 

226 

Ji‘2 

91 

5B 

01011011 

152 

9s 

92 

5C 

01011100 

34 

a2 

93 

5D 

01011101 

136 

a8 

94 

5E 

01011110 

145 

A16 

95 

5F 

01011111 

16 

Bw 

dec 

hex 

binary 

logs 

name 

96 

60 

01100000 

126 

km 

97 

61 

01100001 

110 

a16 

98 

62 

01100010 

72 

/8 

99 

63 

01100011 

195 

^64 

100 

64 

01100100 

163 

J4 

101 

65 

01100101 

182 

102 

66 

01100110 

30 

T2 

103 

67 

01100111 

66 

F 4 

104 

68 

01101000 

58 

j64 

105 

69 

01101001 

107 

h4 

106 

6A 

01101010 

40 

107 

6B 

01101011 

84 

N 4 

108 

6C 

01101100 

250 

R 

109 

6D 

01101101 

133 

s128 

110 

6E 

01101110 

61 

A64 

111 

6F 

01101111 

186 

n64 

112 

70 

01110000 

43 

m 

113 

71 

01110001 

121 

cm 

114 

72 

01110010 

10 

r2 

115 

73 

01110011 

21 

N 

116 

74 

01110100 

155 

a4 

117 

75 

01110101 

159 

k'42 

118 

76 

01110110 

94 

c32 

119 

77 

01110111 

202 

64 

m 

120 

78 

01111000 

78 

fw 

121 

79 

01111001 

212 

M 

122 

7A 

01111010 

172 

4 

m 

123 

7B 

01111011 

229 

c2 

124 

7C 

01111100 

243 

k4 

125 

7D 

01111101 

115 

a128 

126 

7E 

01111110 

167 

Ss 

127 

7F 

01111111 

87 

n8 

47 


dec 

hex 

binary 

logs 

name 

128 

80 

10000000 

175 

Rw 

129 

81 

10000001 

88 

s8 

130 

82 

10000010 

168 

N8 

131 

83 

10000011 

80 

r  i  ti 

132 

84 

10000100 

244 

S 

133 

85 

10000101 

234 

n 

134 

86 

10000110 

214 

h8 

135 

87 

10000111 

116 

136 

88 

10001000 

79 

Sw 

137 

89 

10001001 

174 

n16 

138 

8A 

10001010 

233 

S2 

139 

8B 

10001011 

213 

n2 

140 

8C 

10001100 

231 

k8 

141 

8D 

10001101 

230 

a 

142 

8E 

10001110 

173 

hw 

143 

8F 

10001111 

232 

J 

144 

90 

10010000 

44 

sA 

145 

91 

10010001 

215 

R8 

146 

92 

10010010 

117 

ni28 

147 

93 

10010011 

122 

S128 

148 

94 

10010100 

235 

R4 

149 

95 

10010101 

22 

s2 

150 

96 

10010110 

11 

s 

151 

97 

10010111 

245 

R2 

152 

98 

10011000 

89 

m8 

153 

99 

10011001 

203 

c4 

154 

9A 

10011010 

95 

R:i2 

155 

9B 

10011011 

176 

sw 

156 

9C 

10011100 

156 

f2 

157 

9D 

10011101 

169 

M2 

158 

9E 

10011110 

81 

Nw 

159 

9F 

10011111 

160 

r32 

dec 

hex 

binary 

logs 

name 

160 

AO 

10100000 

127 

b128 

161 

Al 

10100001 

12 

K4 

162 

A2 

10100010 

246 

L 

163 

A3 

10100011 

111 

Ll8 

164 

A4 

10100100 

23 

J 

165 

A5 

10100101 

196 

g 64 

166 

A6 

10100110 

73 

H 64 

167 

A7 

10100111 

236 

G 

168 

A8 

10101000 

216 

F8 

169 

A9 

10101001 

67 

C 64 

170 

AA 

10101010 

31 

D'i2 

171 

AB 

10101011 

45 

E 

172 

AC 

10101100 

164 

H 82 

173 

AD 

10101101 

118 

G128 

174 

AE 

10101110 

123 

L128 

175 

AF 

10101111 

183 

L8 

176 

BO 

10110000 

204 

74 

177 

B1 

10110001 

187 

P4 

178 

B2 

10110010 

62 

D 64 

179 

B3 

10110011 

90 

E2 

180 

B4 

10110100 

251 

b4 

181 

B5 

10110101 

96 

K82 

182 

B6 

10110110 

177 

183 

B7 

10110111 

134 

C128 

184 

B8 

10111000 

59 

Gm 

185 

B9 

10111001 

82 

Hw 

186 

BA 

10111010 

161 

C32 

187 

BB 

10111011 

108 

F 4 

188 

BC 

10111100 

170 

n2 

189 

BD 

10111101 

85 

D 

190 

BE 

10111110 

41 

H8 

191 

BF 

10111111 

157 

Gi2 

48 


dec 

hex 

binary 

logs 

name 

192 

CO 

11000000 

151 

c8 

193 

Cl 

11000001 

178 

m16 

194 

C2 

11000010 

135 

jn28 

195 

C3 

11000011 

144 

/i6 

196 

C4 

11000100 

97 

197 

C5 

11000101 

190 

Rm 

198 

C6 

11000110 

220 

ai2 

199 

C7 

11000111 

252 

k 

200 

C8 

11001000 

188 

c64 

201 

C9 

11001001 

149 

m123 

202 

CA 

11001010 

207 

k13 

203 

CB 

11001011 

205 

a2 

204 

CC 

11001100 

55 

a8 

205 

CD 

11001101 

63 

k3i 

206 

CE 

11001110 

91 

h32 

207 

CF 

11001111 

209 

f 

208 

DO 

11010000 

83 

M4 

209 

D1 

11010001 

57 

pi 

210 

D2 

11010010 

132 

211 

D3 

11010011 

60 

'J'  4 

212 

D4 

11010100 

65 

,^64 

213 

D5 

11010101 

162 

N3  2 

214 

D6 

11010110 

109 

hi23 

215 

D7 

11010111 

71 

216 

D8 

11011000 

20 

^4 

217 

D9 

11011001 

42 

N2 

218 

DA 

11011010 

158 

S'3'2 

219 

DB 

11011011 

93 

n32 

220 

DC 

11011100 

86 

9 

m 

221 

DD 

11011101 

242 

c 

222 

DE 

11011110 

211 

S4 

223 

DF 

11011111 

171 

n4 

dec 

hex 

binary 

logs 

name 

224 

E0 

11100000 

68 

a4 

225 

El 

11100001 

17 

a 

226 

E2 

11100010 

146 

H 128 

227 

E3 

11100011 

217 

G2 

228 

E4 

11100100 

35 

A32 

229 

E5 

11100101 

32 

B32 

230 

E6 

11100110 

46 

J2 

231 

E7 

11100111 

137 

g 128 

232 

E8 

11101000 

180 

E4 

233 

E9 

11101001 

124 

D123 

234 

EA 

11101010 

184 

J8 

235 

EB 

11101011 

38 

9 2 

236 

EC 

11101100 

119 

P* 

237 

ED 

11101101 

153 

78 

238 

EE 

11101110 

227 

D4 

239 

EF 

11101111 

165 

E32 

240 

F0 

11110000 

103 

G3 

241 

FI 

11110001 

74 

H2 

242 

F2 

11110010 

237 

E2 

243 

F3 

11110011 

222 

L32 

244 

F4 

11110100 

197 

jM 

245 

F5 

11110101 

49 

gw 

246 

F6 

11110110 

254 

b 

247 

F7 

11110111 

24 

K3 

248 

F8 

11111000 

13 

C 

249 

F9 

11111001 

99 

]?32 

250 

FA 

11111010 

140 

A123 

251 

FB 

11111011 

128 

B 128 

252 

FC 

11111100 

192 

A'64 

253 

FD 

11111101 

247 

b3 

254 

FE 

11111110 

112 

d™ 

255 

FF 

11111111 

7 

d 

49 


D.2  Antilogarithm  Table 

Same  information  as  previous  table,  but  ordered  by  logarithm  base  B. 


dec 

hex 

binary 

logs 

name 

0 

00 

00000000 

— oo 

0 

1 

01 

00000001 

0 

1 

3 

03 

00000011 

1 

B 

5 

05 

00000101 

2 

B2 

15 

OF 

00001111 

3 

K 

17 

11 

00010001 

4 

B 4 

51 

33 

00110011 

5 

r 

85 

55 

01010101 

6 

K1 

255 

FF 

11111111 

7 

d 

26 

1A 

00011010 

8 

B 8 

46 

2E 

00101110 

9 

l 

114 

72 

01110010 

10 

r2 

150 

96 

10010110 

11 

s 

161 

Al 

10100001 

12 

K4 

248 

F8 

11111000 

13 

C 

19 

13 

00010011 

14 

d2 

53 

35 

00110101 

15 

T 

95 

5F 

01011111 

16 

Bw 

225 

El 

11100001 

17 

a 

56 

38 

00111000 

18 

r1 

72 

48 

01001000 

19 

9 

216 

D8 

11011000 

20 

^4 

115 

73 

01110011 

21 

N 

149 

95 

10010101 

22 

s2 

164 

A4 

10100100 

23 

J 

247 

F7 

11110111 

24 

K* 

2 

02 

00000010 

25 

A 

6 

06 

00000110 

26 

C2 

10 

0A 

00001010 

27 

F 

30 

IE 

00011110 

28 

d4 

34 

22 

00100010 

29 

f2 

102 

66 

01100110 

30 

T2 

dec 

hex 

binary 

logs 

name 

170 

AA 

10101010 

31 

D32 

229 

E5 

11100101 

32 

B32 

52 

34 

00110100 

33 

l32 

92 

5C 

01011100 

34 

a 2 

228 

E4 

11100100 

35 

A 32 

55 

37 

00110111 

36 

l4 

89 

59 

01011001 

37 

H 

235 

EB 

11101011 

38 

92 

38 

26 

00100110 

39 

f 

106 

6A 

01101010 

40 

190 

BE 

10111110 

41 

H 8 

217 

D9 

11011001 

42 

N2 

112 

70 

01110000 

43 

m 

144 

90 

10010000 

44 

s4 

171 

AB 

10101011 

45 

E 

230 

E6 

11100110 

46 

J 2 

49 

31 

00110001 

47 

c16 

83 

53 

01010011 

48 

KW 

245 

F5 

11110101 

49 

gW 

4 

04 

00000100 

50 

A2 

12 

OC 

00001100 

51 

7 

20 

14 

00010100 

52 

C 4 

60 

3C 

00111100 

53 

M64 

68 

44 

01000100 

54 

F2 

204 

CC 

11001100 

55 

a8 

79 

4F 

01001111 

56 

d8 

209 

D1 

11010001 

57 

fU 

104 

68 

01101000 

58 

184 

B8 

10111000 

59 

CF4 

211 

D3 

11010011 

60 

rpA 

110 

6E 

01101110 

61 

178 

B2 

10110010 

62 

50 


dec 

hex 

binary 

logs 

name 

205 

CD 

11001101 

63 

kbi 

76 

4C 

01001100 

64 

B84 

212 

D4 

11010100 

65 

r64 

103 

67 

01100111 

66 

A4 

169 

A9 

10101001 

67 

CM 

224 

E0 

11100000 

68 

a4 

59 

3B 

00111011 

69 

NM 

77 

4D 

01001101 

70 

A64 

215 

D7 

11010111 

71 

f 

98 

62 

01100010 

72 

l8 

166 

A6 

10100110 

73 

Hm 

241 

FI 

11110001 

74 

H 2 

8 

08 

00001000 

75 

24 

18 

00011000 

76 

gA 

40 

28 

00101000 

77 

Mw 

120 

78 

01111000 

78 

136 

88 

10001000 

79 

su 

131 

83 

10000011 

80 

r16 

158 

9E 

10011110 

81 

NW 

185 

B9 

10111001 

82 

Hw 

208 

DO 

11010000 

83 

M 4 

107 

6B 

01101011 

84 

N4 

189 

BD 

10111101 

85 

n 

220 

DC 

11011100 

86 

9 

m 

127 

7F 

01111111 

87 

n8 

129 

81 

10000001 

88 

s8 

152 

98 

10011000 

89 

m8 

179 

B3 

10110011 

90 

E2 

206 

CE 

11001110 

91 

h:i2 

73 

49 

01001001 

92 

J4 

219 

DB 

11011011 

93 

118 

76 

01110110 

94 

c 82 

dec 

hex 

binary 

logs 

name 

154 

9A 

10011010 

95 

A32 

181 

B5 

10110101 

96 

A'32 

196 

C4 

11000100 

97 

s32 

87 

57 

01010111 

98 

9 32 

249 

F9 

11111001 

99 

p32 

16 

10 

00010000 

100 

A4 

48 

30 

00110000 

101 

m32 

80 

50 

01010000 

102 

72 

240 

F0 

11110000 

103 

G8 

11 

OB 

00001011 

104 

C8 

29 

ID 

00011101 

105 

E8 

39 

27 

00100111 

106 

M 128 

105 

69 

01101001 

107 

h4 

187 

BB 

10111011 

108 

F4 

214 

D6 

11010110 

109 

h 128 

97 

61 

01100001 

110 

a18 

163 

A3 

10100011 

111 

Lw 

254 

FE 

11111110 

112 

d™ 

25 

19 

00011001 

113 

J16 

43 

2B 

00101011 

114 

fV2S 

125 

7D 

01111101 

115 

a128 

135 

87 

10000111 

116 

j128 

146 

92 

10010010 

117 

n128 

173 

AD 

10101101 

118 

G 128 

236 

EC 

11101100 

119 

P8 

47 

2F 

00101111 

120 

113 

71 

01110001 

121 

c 128 

147 

93 

10010011 

122 

g«128 

174 

AE 

10101110 

123 

A128 

233 

E9 

11101001 

124 

D128 

32 

20 

00100000 

125 

R 128 

96 

60 

01100000 

126 

k128 

51 


dec 

hex 

binary 

logs 

name 

160 

AO 

10100000 

127 

bl2S 

251 

FB 

11111011 

128 

Bm 

22 

16 

00010110 

129 

A'128 

58 

3A 

00111010 

130 

ri2iS 

78 

4E 

01001110 

131 

dl2S 

210 

D2 

11010010 

132 

109 

6D 

01101101 

133 

sm 

183 

B7 

10110111 

134 

Ci28 

194 

C2 

11000010 

135 

jn28 

93 

5D 

01011101 

136 

a8 

231 

E7 

11100111 

137 

g 128 

50 

32 

00110010 

138 

N12S 

86 

56 

01010110 

139 

J128 

250 

FA 

11111010 

140 

A128 

21 

15 

00010101 

141 

F128 

63 

3F 

00111111 

142 

jW 

65 

41 

01000001 

143 

Dw 

195 

C3 

11000011 

144 

Z16 

94 

5E 

01011110 

145 

A16 

226 

E2 

11100010 

146 

H1'28 

61 

3D 

00111101 

147 

/4 

71 

47 

01000111 

148 

H4 

201 

C9 

11001001 

149 

m 128 

64 

40 

01000000 

150 

A128 

192 

CO 

11000000 

151 

c8 

91 

5B 

01011011 

152 

9 8 

237 

ED 

11101101 

153 

78 

44 

2C 

00101100 

154 

M82 

116 

74 

01110100 

155 

a4 

156 

9C 

10011100 

156 

f2 

191 

BF 

10111111 

157 

G82 

218 

DA 

11011010 

158 

S8'1 

dec 

hex 

binary 

logs 

name 

117 

75 

01110101 

159 

k82 

159 

9F 

10011111 

160 

r32 

186 

BA 

10111010 

161 

C82 

213 

D5 

11010101 

162 

N82 

100 

64 

01100100 

163 

3 4 

172 

AC 

10101100 

164 

H82 

239 

EF 

11101111 

165 

E82 

42 

2A 

00101010 

166 

M 8 

126 

7E 

01111110 

167 

S8 

130 

82 

10000010 

168 

N8 

157 

9D 

10011101 

169 

M2 

188 

BC 

10111100 

170 

D2 

223 

DF 

11011111 

171 

n4 

122 

7A 

01111010 

172 

4 

m 

142 

8E 

10001110 

173 

hw 

137 

89 

10001001 

174 

n16 

128 

80 

10000000 

175 

Rw 

155 

9B 

10011011 

176 

sw 

182 

B6 

10110110 

177 

plQ 

193 

Cl 

11000001 

178 

m16 

88 

58 

01011000 

179 

G4 

232 

E8 

11101000 

180 

E 4 

35 

23 

00100011 

181 

K2 

101 

65 

01100101 

182 

175 

AF 

10101111 

183 

L8 

234 

EA 

11101010 

184 

J8 

37 

25 

00100101 

185 

ae4 

111 

6F 

01101111 

186 

n64 

177 

B1 

10110001 

187 

(34 

200 

C8 

11001000 

188 

c64 

67 

43 

01000011 

189 

A64 

197 

C5 

11000101 

190 

Rm 

52 


dec 

hex 

binary 

logs 

name 

84 

54 

01010100 

191 

P 

252 

FC 

11111100 

192 

31 

IF 

00011111 

193 

d64 

33 

21 

00100001 

194 

s64 

99 

63 

01100011 

195 

^64 

165 

A5 

10100101 

196 

gm 

244 

F4 

11110100 

197 

P  4 

7 

07 

00000111 

198 

^64 

9 

09 

00001001 

199 

Ds 

27 

IB 

00011011 

200 

As 

45 

2D 

00101101 

201 

P 

119 

77 

01110111 

202 

64 

m 

153 

99 

10011001 

203 

c4 

176 

BO 

10110000 

204 

74 

203 

CB 

11001011 

205 

a 2 

70 

46 

01000110 

206 

Gw 

202 

CA 

11001010 

207 

P« 

69 

45 

01000101 

208 

Cw 

207 

CF 

11001111 

209 

f 

74 

4A 

01001010 

210 

Ew 

222 

DE 

11011110 

211 

S 4 

121 

79 

01111001 

212 

M 

139 

8B 

10001011 

213 

n 2 

134 

86 

10000110 

214 

hs 

145 

91 

10010001 

215 

R* 

168 

A8 

10101000 

216 

F 8 

227 

E3 

11100011 

217 

G2 

62 

3E 

00111110 

218 

h 

66 

42 

01000010 

219 

P 

198 

C6 

11000110 

220 

P2 

81 

51 

01010001 

221 

P 

243 

F3 

11110011 

222 

L's} 

dec 

hex 

binary 

logs 

name 

14 

0E 

00001110 

223 

P2 

18 

12 

00010010 

224 

d 32 

54 

36 

00110110 

225 

j^32 

90 

5A 

01011010 

226 

P2 

238 

EE 

11101110 

227 

D4 

41 

29 

00101001 

228 

f 

123 

7B 

01111011 

229 

c2 

141 

8D 

10001101 

230 

a 

140 

8C 

10001100 

231 

k* 

143 

8F 

10001111 

232 

J 

138 

8A 

10001010 

233 

S2 

133 

85 

10000101 

234 

n 

148 

94 

10010100 

235 

R4 

167 

A7 

10100111 

236 

G 

242 

F2 

11110010 

237 

L2 

13 

0D 

00001101 

238 

P 

23 

17 

00010111 

239 

bw 

57 

39 

00111001 

240 

75 

4B 

01001011 

241 

D2 

221 

DD 

11011101 

242 

c 

124 

7C 

01111100 

243 

k4 

132 

84 

10000100 

244 

S 

151 

97 

10010111 

245 

R2 

162 

A2 

10100010 

246 

L 

253 

FD 

11111101 

247 

bs 

28 

1C 

00011100 

248 

D 

36 

24 

00100100 

249 

k2 

108 

6C 

01101100 

250 

R 

180 

B4 

10110100 

251 

b4 

199 

C7 

11000111 

252 

k 

82 

52 

01010010 

253 

b2 

246 

F6 

11110110 

254 

b 

53 


D.3  Polynomial  Table 

Each  minimal  polynomial  over  GF( 2)  is  listed  as  a  bit  string  of  coefficients,  e.g.,  100011011 
means  x8  +  x4  +  x3  +  x  +  1  =  q(x).  Reversing  the  bit  string  corresponds  to  inverting  the 
roots;  the  ordering  is  in  such  pairs.  The  conjugate  roots  are  given  in  terms  of  logB;  the  first 
listed  is  given  the  name  shown.  The  “order”  is  in  the  multiplicative  subgroup,  e.g.,  y5  =  1. 


name 

polynomial 

order 

logB  of  conjugates 

0 

10 

1 

— oo 

1 

11 

1 

0 

111 

3 

85 

170 

a 

10011 

15 

17 

34 

68 

136 

P 

11001 

15 

238 

221 

187 

119 

7 

mil 

5 

51 

102 

204 

153 

A 

100011011 

51 

25 

50 

100 

200 

145 

35 

70 

140 

a 

110110001 

51 

230 

205 

155 

55 

110 

220 

185 

115 

B 

100011101 

255 

1 

2 

4 

8 

16 

32 

64 

128 

b 

101110001 

255 

254 

253 

251 

247 

239 

223 

191 

127 

C 

100101011 

255 

13 

26 

52 

104 

208 

161 

67 

134 

c 

110101001 

255 

242 

229 

203 

151 

47 

94 

188 

121 

D 

100101101 

255 

248 

241 

227 

199 

143 

31 

62 

124 

d 

101101001 

255 

7 

14 

28 

56 

112 

224 

193 

131 

E 

100111001 

17 

45 

90 

180 

105 

210 

165 

75 

150 

F 

100111111 

85 

27 

54 

108 

216 

177 

99 

198 

141 

f 

111111001 

85 

228 

201 

147 

39 

78 

156 

57 

114 

G 

101001101 

255 

236 

217 

179 

103 

206 

157 

59 

118 

9 

101100101 

255 

19 

38 

76 

152 

49 

98 

196 

137 

H 

101011111 

255 

37 

74 

148 

41 

82 

164 

73 

146 

h 

111110101 

255 

218 

181 

107 

214 

173 

91 

182 

109 

J 

101100011 

255 

23 

46 

92 

184 

113 

226 

197 

139 

J 

110001101 

255 

232 

209 

163 

71 

142 

29 

58 

116 

K 

101110111 

85 

3 

6 

12 

24 

48 

96 

192 

129 

k 

111011101 

85 

252 

249 

243 

231 

207 

159 

63 

126 

L 

101111011 

85 

246 

237 

219 

183 

111 

222 

189 

123 

l 

110111101 

85 

9 

18 

36 

72 

144 

33 

66 

132 

M 

110000111 

255 

212 

169 

83 

166 

77 

154 

53 

106 

m 

111000011 

255 

43 

86 

172 

89 

178 

101 

202 

149 

N 

110001011 

85 

21 

42 

84 

168 

81 

162 

69 

138 

n 

110100011 

85 

234 

213 

171 

87 

174 

93 

186 

117 

R 

110011111 

51 

250 

245 

235 

215 

175 

95 

190 

125 

r 

111110011 

51 

5 

10 

20 

40 

80 

160 

65 

130 

S 

111001111 

255 

244 

233 

211 

167 

79 

158 

61 

122 

s 

111100111 

255 

11 

22 

44 

88 

176 

97 

194 

133 

T 

111010111 

17 

15 

30 

60 

120 

240 

225 

195 

135 

54 


E  All  Possible  Bases 


The  following  table  shows  all  432  possible  combinations  of  bases  for  GF( 28),  GF( 24),  and 
GF{22)  for  which  the  trace  is  unity  (r  =  T  =  1).  Each  subfield  basis  is  given  as  an  ordered 
pair;  if  the  second  entry  is  1  then  it  is  a  polynomial  basis,  otherwise  a  normal  basis.  The 
GF( 28)  basis  uses  roots  of  r(y)  =  y2  +  y  +  v1  the  GF( 24)  basis  uses  roots  of  s(^)  =  z2  +  z  +  N, 
where  v  and  N  are  the  respective  norms,  and  the  GF( 22)  basis  uses  roots  of  t(w)  =  w2+w+ 1. 

The  basis  and  norm  entries  use  the  naming  convention  summarized  in  Table  D.3.  Ex¬ 
plicitly,  in  terms  of  the  standard  AES  basis:  in  subfield  GF( 22),  12  =  189  =  OxBD;  in 
subfield  GF( 24),  a  =  225  =  OxEl,  (3  =  13  =  OxOD,  and  7  =  12  =  OxOC;  in  the  main  field, 
d  =  255  =  OxFF  and  L  =  162  =  0xA2. 

The  coefficients  C  and  D  of  u  with  respect  to  the  GF( 24)  basis  are  given  in  terms  of  N , 
as  is  the  root  w,  as  on  page  18. 

Under  “XOR  Gates,”  the  first  column  shows  the  number  of  XOR  gates  for  the  inverter; 
each  also  includes  36  AND’s.  For  bases  1-144,  this  number  includes  all  of  the  low-level 
optimizations  given  in  Section  4.4;  bases  145  and  beyond  use  a  polynomial  basis  for  GF( 28), 
and  for  those  cases  the  inverter  number  is  an  estimate  (except  for  8  cases  where  these 
optimizations  were  explicitly  included:  159,  177,  191,  209,  234,  252,  260,  and  278).  The 
last  three  columns  show  the  XOR’s  for  a  complete  S-box,  an  inverse  S-box,  and  a  merged 
combination  of  both  with  a  shared  inverter  (excluding  multiplexors);  each  would  also  have 
36  AND’s  and  possibly  a  few  NOT’s  (for  the  affine  transformation).  A  superscript  0  in  the 
last  column  means  the  16  x  8  basis  change  matrices  were  fully  optimized  by  the  tree-search 
algorithm;  otherwise  they  were  factored  by  the  greedy  algorithm.  ( All  of  the  8x8  matrices 
were  fully  optimized.) 
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Case 

Bases 

Norms 

Coefficients 

XOR  Gates 

# 

GF(  28) 

GF(  24) 

GF(  22) 

V 

N 

C 

D 

w  = 

inv. 

S-box 

E92SSI 

Both 

1 

[d  w,  d] 

[a  ,  a\ 

[122,11] 

(3s 

ft 

N2 

1 

N 

66 

99 

94 

122 

2 

[dw,  d] 

[a  ,  a\ 

[0,1] 

(3s 

H 

N2 

1 

N 

66 

94 

93 

119 

3 

[d  w,  d] 

[a  ,  a\ 

[H2,l] 

(3s 

ft 

N2 

1 

N 2 

66 

94 

92 

116 

4 

[dw,  d] 

[a8,  a2} 

[H2,fi] 

(3s 

n2 

0 

N2 

N2 

66 

90 

91 

104° 

5 

[d  w,  d] 

[a8,  a2} 

[«,  i] 

(3s 

n2 

0 

N2 

N2 

66 

92 

92 

109° 

6 

[d  w,  d] 

a8,  a2} 

[H2,l] 

(3s 

n2 

0 

N2 

N 

66 

92 

94 

112° 

7 

[d10,  d] 

[a,  1] 

[122,fi] 

f3« 

n 

N 

N2 

N 

67 

97 

94 

119 

8 

[d  w,  d] 

[a,  1] 

[0,1] 

(3s 

n 

N 

N2 

N 

68 

95 

95 

117 

9 

[d  w,  d] 

[a,  1] 

[H2,l] 

(3s 

n 

N 

N2 

N 2 

68 

98 

94 

119 

10 

[d  w,  d] 

[a4, 1] 

[ft2, 12] 

(3s 

n 

N 

1 

N 

67 

95 

94 

117 

11 

[d  w,  d] 

[a4, 1] 

[11,1] 

(3s 

n 

N 

1 

N 

67 

93 

94 

115 

12 

[d  w,  d] 

a4, 1] 

[H2,l] 

(3s 

n 

N 

1 

N 2 

67 

94 

94 

118 

13 

[d  w,  d] 

[a2,l] 

[ft2,  ft] 

(3s 

n2 

N2 

0 

N 2 

67 

91 

92 

114 

14 

[d  w,  d] 

[a2,l] 

[«,  1] 

(3s 

n2 

N2 

0 

N2 

67 

93 

93 

114 

15 

[d  w,  d] 

[a2,l] 

[fl2,l] 

(3s 

n2 

N2 

0 

N 

67 

94 

95 

118 

16 

[h16,  d] 

[a8,l] 

[ft2,  ft] 

(3s 

n2 

N2 

N2 

N2 

67 

91 

93 

111° 

17 

[d  w,  d] 

[a8,l] 

[fi.l] 

(3s 

n2 

N2 

N2 

N2 

67 

92 

94 

112° 

18 

[d  w,  d] 

[a8,l] 

[H2,l] 

(3s 

n2 

N 2 

N2 

N 

67 

93 

94 

117 

19 

[d32,  d2] 

a4,  a] 

[ft2,  ft] 

(3 

n 

N 2 

0 

N 

66 

96 

98 

124 

20 

[d32,  d2] 

[a  ,  a\ 

[«,  1] 

(3 

n 

N2 

0 

N 

66 

97 

99 

118 

21 

[d32,  d2} 

[a  ,  a\ 

[H2,l] 

(3 

n 

N2 

0 

N2 

66 

95 

97 

116 

22 

[d32,  d2] 

[a8,  a2] 

[ft2,  ft] 

(3 

n2 

N2 

1 

N 2 

66 

96 

97 

116 

23 

[d32,  d2] 

[a8,  a2} 

[0,1] 

(3 

n2 

N 2 

1 

N 2 

66 

94 

92 

107° 

24 

[d32,  d2] 

[a8,  a2] 

[H2,l] 

(3 

n2 

N2 

1 

N 

66 

94 

94 

117 

25 

[d32,  d2] 

[a,  1] 

[ft2,  ft] 

(3 

n 

N2 

N2 

N 

67 

97 

98 

121 

26 

[d32,  d2] 

.01,1} 

[0,1] 

(3 

n 

N2 

N2 

N 

67 

96 

97 

122 

27 

[d32,  d2] 

[a,  1] 

[H2,l] 

(3 

n 

N2 

N2 

N2 

67 

97 

95 

121 

28 

[d32,  d2} 

[a4, 1] 

[ft2,  ft] 

(3 

n 

N2 

0 

N 

67 

97 

98 

122 

29 

[d32,  d2] 

[a4, 1] 

[0,1] 

(3 

n 

N 2 

0 

N 

67 

96 

93 

117 

30 

[d32,  d2] 

[a4, 1] 

[H2,l] 

(3 

n 

N 2 

0 

N 2 

67 

96 

97 

118 

31 

[d32,  d2} 

[a2,l] 

[ft2,  ft] 

(3 

n2 

N 

N2 

N2 

67 

96 

97 

122 

32 

[d32,  d2] 

a2,l] 

[0,1] 

(3 

n2 

N 

N2 

N 2 

68 

98 

94 

115 

33 

[d32,  d2} 

[a2,l] 

[fl2,l] 

(3 

n2 

N 

N 2 

N 

68 

99 

96 

120 

34 

[d32,  d2} 

[a8,l] 

[ft2,  ft] 

(3 

n2 

N 

1 

N2 

67 

94 

97 

112° 

35 

[d32,  d2] 

[a8,l] 

[11,1] 

(3 

n2 

N 

1 

N 2 

67 

93 

93 

110° 

36 

[d32,  d2] 

[a8,l] 

[H2,l] 

(3 

n2 

N 

1 

N 

67 

92 

94 

118 

°fully  optimized  results 
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Case 

Bases 

Norms 

Coefficients 

X0R  Gates 

# 

GF(  28) 

GF(24) 

GF(  22) 

V 

N 

C 

D 

w  = 

inv. 

S-box 

Both 

37 

[dM,  d4 } 

[a  ,  a\ 

[Q2, 0] 

P2 

ft 

1 

N 2 

N 

66 

94 

93 

115 

38 

[dM,  d4} 

[a  ,  a\ 

[«,  i] 

P2 

ft 

1 

N2 

N 

66 

94 

93 

117 

39 

[dM,  d4] 

[a  ,  a\ 

[fi2,l] 

P2 

ft 

1 

N2 

N 2 

66 

95 

92 

111° 

40 

[dM,  d4] 

[a8,  a2} 

[H2,ll] 

P 2 

ft2 

N 2 

0 

N 2 

66 

96 

92 

117 

41 

[dM,  d4} 

[a8,  a2} 

[«,  i] 

p2 

ft2 

N2 

0 

N 2 

66 

94 

96 

119 

42 

[dM,  d4] 

[a8,  a2] 

[fi2,l] 

P 2 

ft2 

N 2 

0 

N 

66 

96 

97 

119 

43 

[dM,  d4} 

[a,  1] 

[122,H] 

p2 

ft 

N 

1 

N 

67 

92 

90 

111° 

44 

[dM,  d 4] 

[a,  1] 

[«,  i] 

P2 

ft 

N 

1 

N 

67 

91 

92 

107° 

45 

[dM,  d4] 

[a,  1] 

[fi2,l] 

P2 

ft 

N 

1 

N2 

67 

91 

91 

109° 

46 

[dM,  d 4] 

[a4, 1] 

[122,H] 

P2 

ft 

N 

N2 

N 

67 

96 

94 

120 

47 

[dM,  d 4] 

[a4, 1] 

[M 

p2 

ft 

N 

N2 

N 

68 

95 

95 

116 

48 

[dM,  d4] 

a4, 1] 

[H2,l] 

P2 

ft 

N 

N2 

N2 

68 

97 

97 

119 

49 

[< d 64 ,  d 4] 

[a2, 1] 

[q2,  n] 

p2 

ft2 

N2 

N 2 

N2 

67 

94 

95 

119 

50 

[dM,  d4} 

[a2, 1] 

[Si,  1] 

p2 

ft2 

N2 

N2 

N2 

67 

93 

95 

109° 

51 

[dM,  d 4] 

[a2, 1] 

[fi2,l] 

P 2 

ft2 

N 2 

N 2 

N 

67 

94 

96 

118 

52 

[dM,  d4] 

[a8, 1] 

[Q2, 0] 

p2 

ft2 

N2 

0 

N 2 

67 

95 

95 

117 

53 

[dM,  d4} 

[a8, 1] 

[Si,l] 

P 2 

ft2 

N 2 

0 

N 2 

67 

93 

94 

115 

54 

[dM,  d4] 

[a8, 1] 

[fi2,l] 

p2 

ft2 

N 2 

0 

N 

67 

96 

97 

115 

55 

'aJ 

to 

00 

00 

a4,  a] 

[fi2,ll] 

P4 

ft 

0 

N2 

N 

66 

94 

97 

122 

56 

[d128,  d 8] 

[a  ,  a\ 

[Si,l] 

P 4 

ft 

0 

N2 

N 

66 

96 

96 

122 

57 

[d128,  d«] 

[a  ,  a\ 

[H2,l] 

P4 

ft 

0 

N2 

N2 

66 

95 

97 

118 

58 

[d128,  d8] 

[a8,  a2] 

[Q2, 0] 

P 4 

ft2 

1 

N2 

N2 

66 

96 

96 

115 

59 

'aj 

to 

00 

a- 

00 

[a8,  a2} 

[0,1] 

P 4 

ft2 

1 

N2 

N2 

66 

96 

95 

119 

60 

[rf128,  d 8] 

[a8,  a2] 

[fi2,l] 

P 4 

ft2 

1 

N2 

N 

66 

96 

97 

114 

61 

■&J 

to 

00 

00 

[a,  1] 

[122,H] 

P4 

ft 

N 2 

0 

N 

67 

96 

98 

119 

62 

'aj 

to 

00 

a- 

00 

a,  i] 

[0,1] 

P 4 

ft 

N 2 

0 

N 

67 

94 

96 

116 

63 

'aJ 

to 

00 

a- 

00 

[a,  1] 

P 4 

ft 

N 2 

0 

N2 

67 

96 

98 

119 

64 

[rf128,  d 8] 

[a4, 1] 

[Q2, 0] 

P4 

ft 

N2 

N 2 

N 

67 

96 

98 

120 

65 

■&J 

to 

00 

a- 

00 

[a4, 1] 

[0,1] 

P4 

ft 

N2 

N2 

N 

67 

95 

95 

118 

66 

[rf128,  rf8] 

[a4, 1] 

[fi2,l] 

P4 

ft 

N2 

N2 

N 2 

67 

96 

97 

120 

67 

■&J 

to 

00 

a- 

00 

[a2, 1] 

[Q2, 0] 

P4 

ft2 

N 

1 

N 2 

67 

97 

98 

121 

68 

'aj 

to 

00 

a- 

00 

1] 

[0,1] 

P4 

ft2 

N 

1 

N 2 

67 

94 

93 

119 

69 

00 

00 

<N 

5s, 

[a2, 1] 

[fi2,l] 

P4 

ft2 

N 

1 

N 

67 

99 

98 

123 

70 

■&J 

to 

00 

a- 

00 

[a8, 1] 

[ft2, 11] 

P 4 

ft2 

N 

N2 

N2 

67 

98 

98 

122 

71 

[d128,  d 8] 

[a8, 1] 

[0,1] 

P 4 

ft2 

N 

N2 

N2 

68 

97 

97 

124 

72 

a- 

to 

00 

ft- 

00 

[a8, 1] 

[H2,l] 

P4 

ft2 

N 

N2 

N 

68 

100 

99 

119 

°fully  optimized  results 
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Case  Bases  Norms  Coefficients  XOR  Gates 


# 

GF(  2s) 

GF(  24) 

GF{22) 

V 

N 

C 

D 

w  = 

inv. 

S-box 

musi 

Both 

73 

[Ll\L] 

[a  ,  a\ 

72 

12 

0 

N 

N 

66 

94 

93 

117 

74 

[LW,L] 

[a  ,  a\ 

[0,1] 

72 

12 

0 

N 

N 

66 

96 

95 

120 

75 

\Ll\L] 

[a  ,  a\ 

[fi2,l] 

72 

12 

0 

N 

N2 

66 

96 

93 

119 

76 

[LW,L] 

[a8,  a2} 

72 

122 

N 

1 

N2 

66 

92 

93 

115 

77 

[L  w,  L] 

[a8,  a2} 

[«,  i] 

72 

122 

N 

1 

N2 

66 

93 

94 

119 

78 

[LW,L] 

[a8,  a2] 

[fi2,l] 

72 

122 

N 

1 

N 

66 

93 

95 

117 

79 

[LW,L] 

[a,  1] 

72 

12 

N 

0 

N 

67 

93 

92 

114 

80 

[L  w,  L] 

[a,  1] 

[0,1] 

72 

12 

N 

0 

N 

67 

92 

93 

116 

81 

[LW,L] 

[a,  1] 

[fi2,l] 

72 

12 

N 

0 

N2 

67 

94 

93 

115 

82 

[L  w,  L] 

[a4, 1] 

72 

12 

N 

N 

N 

67 

94 

96 

116 

83 

[Ll\L] 

[a4, 1] 

[0,1] 

72 

12 

N 

N 

N 

67 

94 

93 

116 

84 

[LW,L] 

a4, 1] 

[fi2,l] 

72 

12 

N 

N 

N2 

67 

93 

94 

115 

85 

[LW,L] 

[«2, 1] 

[ft2, 12] 

72 

122 

N 2 

N 

N 2 

67 

92 

93 

111° 

86 

[L  w,  L] 

[a2, 1] 

[0, 1] 

72 

122 

N2 

N 

N2 

67 

92 

94 

116 

87 

[LW,L] 

[a2, 1] 

[122,1] 

72 

122 

N2 

N 

N 

67 

93 

95 

117 

88 

[L  w,  L] 

[a8, 1] 

[122,12] 

72 

122 

N2 

1 

N2 

67 

94 

94 

111 

89 

[LW,L] 

[a8, 1] 

[0,1] 

72 

122 

N2 

1 

N2 

68 

92 

92 

115 

90 

[L  w,  L] 

[a8, 1] 

[122,1] 

72 

122 

N2 

1 

N 

67 

93 

93 

115 

91 

[L32,L2] 

a4,  a] 

[122,12] 

74 

12 

1 

N 

N 

66 

96 

95 

119 

92 

[L32,L2] 

[a  ,  a\ 

[0,1] 

74 

12 

1 

N 

N 

66 

95 

96 

121 

93 

[L32,L2] 

[or,  a\ 

[122,1] 

74 

12 

1 

N 

N2 

66 

97 

97 

118 

94 

\L32,L2] 

[a8,  a2} 

[Q2, 0] 

74 

122 

0 

N 

N2 

66 

94 

94 

112° 

95 

[L32,L2\ 

[a8,  a2} 

[0,1] 

74 

122 

0 

N 

N2 

66 

93 

96 

118 

96 

\L32,L2\ 

[a8,  a2] 

[122,1] 

74 

122 

0 

N 

N 

66 

93 

95 

119 

97 

[L32,L2] 

[a,  1] 

[Q2, 0] 

74 

12 

N2 

1 

N 

67 

98 

99 

125 

98 

[L32,L2\ 

[a,  1] 

[0,1] 

74 

12 

N2 

1 

N 

67 

97 

98 

124 

99 

[L32,  L2} 

[a,  1] 

[122,1] 

74 

12 

N2 

1 

N2 

68 

98 

99 

122 

100 

[  L32,L2) 

[a4, 1] 

[122,12] 

74 

12 

N2 

N 

N 

67 

92 

93 

117 

101 

[L32,L2\ 

[a4, 1] 

[0,1] 

74 

12 

N2 

N 

N 

67 

96 

96 

120 

102 

\L32,L2\ 

[a4, 1] 

[122,1] 

74 

12 

N2 

N 

N2 

67 

97 

97 

122 

103 

[L32,L2\ 

[a2, 1] 

[122,12] 

74 

122 

N 

0 

N2 

67 

95 

97 

121 

104 

\L32,L2} 

[a2, 1] 

[0,1] 

74 

122 

N 

0 

N2 

67 

94 

96 

118 

105 

[  L32,L2} 

[a2, 1] 

[122,1] 

74 

122 

N 

0 

N 

67 

95 

96 

119 

106 

[L32,  L2} 

[a8, 1] 

[Q2, 0] 

74 

122 

N 

N 

N2 

67 

95 

98 

121 

107 

\L32,L2} 

[a8, 1] 

[0,1] 

74 

122 

N 

N 

N2 

67 

96 

95 

116 

108 

\L32,L2\ 

[a8, 1] 

[122,1] 

74 

122 

N 

N 

N 

67 

97 

97 

118 

'fully  optimized  results 


Case 

# 

Bases 

Norms 

Coefficients 

XOR  Gates 

GF(T ) 

GF(  24) 

GF(  22) 

V 

N 

C 

D 

w  = 

inv. 

S-box 

S-box  1 

Both 

109 

[L64,  L4} 

4 

[Of  ,  QfJ 

78 

ft 

N 

0 

N 

66 

91 

93 

114 

110 

[LM,  L4 

'  4 

a  ,  a 

[«,  i] 

78 

ft 

N 

0 

N 

66 

91 

92 

108° 

111 

[Lm,  L 4 

■  a 

a  ,  a 

[H2,l] 

78 

ft 

N 

0 

N2 

66 

91 

93 

108° 

112 

[LM,  L4 

< 

a8,  a2 

] 

78 

ft2 

1 

N 

N2 

66 

93 

90 

114 

113 

[LM,  L4 

( 

a8,  a2 

] 

[«,  i] 

78 

ft2 

1 

N 

N2 

66 

94 

90 

109° 

114 

[LM,  L4 

( 

cn8,  a2] 

[fi2,l] 

78 

ft2 

1 

N 

N 

66 

91 

90 

108° 

115 

[L64,  L4 

.01,1} 

[ft2, 12] 

78 

ft 

N 

N 

N 

67 

94 

96 

115 

116 

[LM,  L4 

a,l] 

[0,1] 

78 

ft 

N 

N 

N 

67 

93 

94 

115 

117 

[LM,  L4 

a,l] 

[ft2,l] 

78 

ft 

N 

N 

N2 

67 

92 

94 

109° 

118 

[LM,  L4 

a4, 1] 

[ft2,  ft] 

78 

ft 

N 

0 

N 

67 

91 

94 

112° 

119 

[LM,  L 4 

a4, 1] 

[ft,  1] 

78 

ft 

N 

0 

N 

67 

93 

93 

118 

120 

[L64,  L4 

a4, 1] 

[ft2, 1] 

78 

ft 

N 

0 

N2 

67 

92 

93 

116 

121 

[L64,  L4 

[a2, 1] 

[ft2,  ft] 

78 

ft2 

N 2 

1 

N 2 

67 

96 

93 

119 

122 

[LM,  L4 

[a2, 1] 

[«,  i] 

78 

ft2 

N2 

1 

N2 

68 

95 

93 

114 

123 

[LM,  L4 

[«2, 1] 

[ft2, 1] 

78 

ft2 

N2 

1 

N 

67 

95 

93 

116 

124 

[L64,  L4 

[a8, 1] 

[ft2,  ft] 

78 

ft2 

N2 

N 

N2 

67 

95 

92 

115 

125 

[L64,  L4 

[a8, 1] 

[«,  i] 

78 

ft2 

N2 

N 

N2 

67 

93 

90 

110° 

126 

[LM,  L4 

[a8, 1] 

[ft2,l] 

78 

ft2 

N2 

N 

N 

67 

94 

92 

116 

127 

[L128,  L8] 

a4,  a] 

[ft2,  ft] 

7 

ft 

N 

1 

N 

66 

96 

97 

119 

128 

[L128,  L8} 

■  4 

a  ,  a 

[«,  i] 

7 

ft 

N 

1 

N 

66 

97 

97 

119 

129 

[L128,  L8] 

4 

a  ,  a 

[ft2,  1] 

7 

ft 

N 

1 

N2 

66 

98 

98 

121 

130 

[L128,  L8} 

( 

a8,  a2 

] 

[ft2,  ft] 

7 

ft2 

N 

0 

N2 

66 

92 

91 

115 

131 

[L128,  L8] 

( 

a8,  a2 

] 

[0,1] 

7 

ft2 

N 

0 

N2 

66 

94 

95 

120 

132 

[L128,  L8] 

< 

cn8,  a2] 

[ft2, 1] 

7 

ft2 

N 

0 

N 

66 

92 

95 

116 

133 

[L128,  L8] 

a,l] 

[ft2,  ft] 

7 

ft 

N2 

N 

N 

67 

98 

97 

120 

134 

[L128,  L8} 

a,l] 

[«,  i] 

7 

ft 

N2 

N 

N 

67 

98 

99 

119 

135 

[L128,  L8} 

a,l] 

[ft2,  1] 

7 

ft 

N 2 

N 

N2 

67 

97 

100 

121 

136 

[L128,  L8] 

a4, 1] 

[ft2,  ft] 

7 

ft 

N2 

1 

N 

67 

99 

99 

123 

137 

[L128,  L8] 

a4, 1] 

[«,  i] 

7 

ft 

N2 

1 

N 

67 

96 

99 

122 

138 

[L128,  L8} 

a4, 1] 

[ft2, 1] 

7 

ft 

N2 

1 

N2 

68 

98 

99 

126 

139 

[L128,  L8] 

[a2, 1] 

[ft2,  ft] 

7 

ft2 

N 

N 

N2 

67 

96 

99 

119 

140 

[L128,  L8} 

a2, 1] 

[Si,l] 

7 

ft2 

N 

N 

N2 

67 

96 

98 

120 

141 

[L128,  L8] 

[a2, 1] 

[ft2,l] 

7 

ft2 

N 

N 

N 

67 

96 

99 

122 

142 

[L128,  L8] 

[a8, 1] 

[ft2,  ft] 

7 

ft2 

N 

0 

N2 

67 

95 

94 

116 

143 

[L128,  L8] 

[a8, 1] 

[ft,  1] 

7 

ft2 

N 

0 

N2 

67 

95 

97 

119 

144 

[L128,  L8] 

[a8, 1] 

[ft2,l] 

7 

ft2 

N 

0 

N 

67 

95 

97 

117 

°fully  optimized  results 
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Case  Bases  Norms  Coefficients  XOR  Gates 


# 

GF(  2s) 

GF{  24) 

GF{  22) 

V 

IV 

c 

D 

w  = 

inv. 

S-box 

S-box  1 

Both 

145 

[d,  1] 

[a  ,  a\ 

[Q2, 0] 

p8 

ft 

N 2 

1 

N 

72 

100 

98 

122 

146 

[<U] 

[a  ,  a\ 

[f!,l] 

p8 

ft 

N2 

1 

N 

72 

99 

98 

122 

147 

[d,  1] 

[a  ,  a\ 

[^,1] 

p 8 

ft 

N2 

1 

N2 

72 

97 

97 

121 

148 

[d,  1] 

[a8,  a2] 

p8 

ft2 

0 

N2 

N2 

72 

96 

97 

115 

149 

[d,  1] 

[a8,  a2] 

[f!,l] 

p 8 

ft2 

0 

N2 

N2 

72 

97 

99 

112° 

150 

[d,i] 

[a8,  a2] 

[fi2,l] 

p8 

ft2 

0 

N2 

N 

72 

98 

100 

119 

151 

[d,  1] 

[«,  1] 

p 8 

ft 

N 

N2 

N 

73 

101 

98 

123 

152 

[d,  1] 

[a,l] 

[f!,l] 

p 8 

ft 

N 

N2 

N 

74 

100 

99 

117 

153 

[d,  1] 

[a,l] 

[fi2,l] 

p 8 

ft 

N 

N2 

N2 

74 

99 

98 

120 

154 

[d,  1] 

[a4, 1] 

p 8 

ft 

N 

1 

N 

73 

97 

97 

123 

155 

[d,  1] 

[a4, 1] 

[f!,l] 

p 8 

ft 

N 

1 

N 

73 

97 

96 

120 

156 

[d,  11 

a4, 1] 

[fi2,l] 

p 8 

ft 

N 

1 

N2 

73 

99 

100 

124 

157 

[d,  11 

[«2,1] 

[H2,fi] 

p8 

ft2 

N 2 

0 

N 2 

73 

98 

99 

116 

158 

[d,  1] 

[«M] 

[n,i] 

p 8 

ft2 

N2 

0 

N2 

73 

97 

98 

118 

159 

[d,  1] 

[«M] 

[fi2,l] 

p 8 

ft2 

N2 

0 

N 

73 

98 

101 

121 

160 

[d,  1] 

[a8, 1] 

p 8 

ft2 

N2 

N2 

N2 

73 

97 

95 

117 

161 

pi] 

[a8, 1] 

[f!,l] 

p8 

ft2 

N2 

N2 

N2 

73 

96 

96 

116 

162 

[d,  1] 

[a8, 1] 

[fi2,l] 

p8 

ft2 

N2 

N2 

N 

73 

98 

99 

122 

163 

[dw,  1] 

a4,  a] 

p8 

ft 

N2 

1 

N 

72 

102 

101 

127 

164 

[dW,  1] 

[a  ,  a\ 

[f!,l] 

p 8 

ft 

N2 

1 

N 

72 

101 

99 

124 

165 

[dw,  1] 

[a  ,  a\ 

[fi2,l] 

p 8 

ft 

N2 

1 

N2 

72 

102 

100 

128 

166 

[dw,  1] 

[a8,  a2} 

[ft2, 12] 

p 8 

ft2 

0 

N2 

N2 

72 

97 

98 

117 

167 

[dw,  1] 

[a8,  a2] 

[f!,l] 

p 8 

ft2 

0 

N2 

N2 

72 

98 

99 

119 

168 

[dw,  1] 

[a8,  a2] 

[ft2,  1] 

p 8 

ft2 

0 

N2 

N 

72 

100 

98 

120 

169 

[dw,  1] 

[a,l] 

[ft2,  ft] 

/58 

ft 

N 

N2 

N 

73 

99 

98 

122 

170 

[dw,  1] 

a,l] 

[f!,l] 

/58 

ft 

N 

N2 

N 

74 

103 

102 

125 

171 

[dW,  1] 

[a,l] 

[ft2,  1] 

/38 

ft 

N 

N2 

N2 

74 

103 

102 

128 

172 

[dw,  1] 

[a4, 1] 

[ft2,  ft] 

/?8 

ft 

N 

1 

N 

73 

101 

102 

125 

173 

[dw,  1] 

[a4, 1] 

[f!,l] 

/58 

ft 

N 

1 

N 

73 

99 

101 

124 

174 

[dw,  1] 

[a4, 1] 

[ft2,l] 

/?8 

ft 

N 

1 

N2 

73 

101 

101 

125 

175 

[dw,  1] 

[«2,1] 

[ft2,  ft] 

/58 

ft2 

N 2 

0 

N2 

73 

98 

96 

121 

176 

[dw,  1] 

[«2,1] 

[f!,l] 

P8 

ft2 

N2 

0 

N2 

73 

99 

100 

120 

177 

[dw,  1] 

[a2,l] 

[ft2,l] 

P8 

ft2 

N 2 

0 

N 

73 

100 

101 

120 

178 

[dw,  1] 

[a8, 1] 

[ft2,  ft] 

P 8 

ft2 

N2 

N2 

N2 

73 

98 

99 

121 

179 

[dw,  1] 

[a8, 1] 

[f!,l] 

/58 

ft2 

N2 

N2 

N2 

73 

99 

101 

121 

180 

[dw,  1] 

[a8, 1] 

[ft2,l] 

/38 

ft2 

N2 

N2 

N 

73 

100 

99 

122 

°fully  optimized  results 
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Case  Bases  Norms  Coefficients  XOR  Gates 


# 

GF{  28) 

CF(24) 

GF{  22) 

m 

N 

c 

D 

w  = 

inv. 

S-box 

iSSSSI 

Both 

181 

[d\  1] 

[a  ,  a\ 

[Q2, 0] 

m 

ft 

N 2 

0 

N 

72 

100 

101 

124 

182 

[d\  1] 

[a  ,  a\ 

[«,  i] 

ft 

N2 

0 

N 

72 

102 

101 

124 

183 

id2, 1] 

[a  ,  aj 

[fi2,l] 

ft 

N2 

0 

N2 

72 

99 

100 

121 

184 

[d2, 1] 

[a8,  a2] 

[fi2,ll] 

ft2 

N 2 

1 

N2 

72 

97 

99 

120 

185 

[d2, 1] 

[a8,  a2] 

[«,  i] 

a2 

N2 

1 

N2 

72 

98 

98 

116 

186 

[d2, 1] 

[a8,  a2] 

[fi2,l] 

ft2 

N2 

1 

N 

72 

96 

99 

119 

187 

[d2, 1] 

[a,  1] 

[ft2, 11] 

ft 

N2 

N2 

N 

73 

102 

103 

125 

188 

[d2, 1] 

[a,  1] 

[«,  i] 

ft 

N2 

N2 

N 

73 

101 

100 

122 

189 

[d2, 1] 

[a,  1] 

[112,1] 

ft 

N2 

N2 

N2 

73 

100 

102 

125 

190 

[d2, 1] 

[a4, 1] 

[ft2,  ft] 

ft 

N2 

0 

N 

73 

100 

104 

124 

191 

[d2, 1] 

[a4, 1] 

[M 

ft 

N2 

0 

N 

73 

101 

101 

126 

192 

[d2, 1] 

a4, 1] 

[112,1] 

ft 

N2 

0 

N2 

73 

102 

103 

126 

193 

[d2, 1] 

[a2, 1] 

[Q2, 0] 

a2 

N 

N 2 

N 2 

73 

101 

102 

123 

194 

[d2, 1] 

[a2, 1] 

la  i] 

ii2 

N 

N2 

N2 

74 

101 

99 

120 

195 

[d2, 1] 

[a2, 1] 

[fi2,l] 

ii2 

N 

N 2 

N 

74 

103 

103 

127 

196 

[d2, 1] 

[a8, 1] 

[Q2,  O] 

ii2 

N 

1 

N2 

73 

98 

97 

121 

197 

[d2, 1] 

[a8, 1] 

[«,  i] 

ii2 

N 

1 

N2 

73 

97 

97 

116 

198 

[d2, 1] 

[a8, 1] 

[fi2,l] 

ft2 

N 

1 

N 

73 

101 

99 

124 

199 

W2, 1] 

a4,  a] 

[ft2,  ft] 

ft 

N 2 

0 

N 

72 

102 

102 

130 

200 

W2, 1] 

[a  ,  a\ 

[«,  i] 

ft 

N2 

0 

N 

72 

103 

100 

126 

201 

W2, 1] 

[a  ,  ckJ 

[112,1] 

ft 

N2 

0 

N 2 

72 

102 

100 

125 

202 

W2, 1] 

[a8,  a2] 

[ft2,  ft] 

ft2 

N2 

1 

N2 

72 

99 

98 

121 

203 

W2, 1] 

[a8,  a2] 

[«,  i] 

ft2 

N2 

1 

N2 

72 

96 

97 

116 

204 

W2, 1] 

[a8,  ct2] 

[112,1] 

ft2 

N2 

1 

N 

72 

99 

99 

123 

205 

W2, 1] 

[a,  1] 

[ft2,  ft] 

ft 

N2 

N 2 

N 

73 

100 

99 

125 

206 

W2, 1] 

a,  1] 

[n,i] 

ft 

N2 

N 2 

N 

73 

102 

99 

121 

207 

[di2, 1] 

[a,  1] 

P*2,!] 

ft 

N2 

N 2 

N2 

73 

101 

102 

125 

208 

W2, 1] 

[a4, 1] 

[Q2, 0] 

ft 

N 2 

0 

N 

73 

100 

103 

128 

209 

W2, 1] 

[a4, 1] 

[0,1] 

ft 

N2 

0 

N 

73 

100 

99 

120 

210 

W2, 1] 

[a4, 1] 

[fi2,l] 

ft 

N2 

0 

N2 

73 

102 

101 

122 

211 

W2, 1] 

[a2, 1] 

[Q2, 0] 

a2 

N 

N2 

N2 

73 

101 

102 

127 

212 

W2, 1] 

1] 

[0,1] 

ft2 

N 

N 2 

N2 

74 

101 

99 

125 

213 

[^,1] 

[a2, 1] 

[fi2,l] 

ft2 

N 

N 2 

N 

74 

101 

102 

125 

214 

[^,1] 

[a8, 1] 

[ft2,  ft] 

ft2 

N 

1 

N 2 

73 

98 

100 

124 

215 

[^,1] 

[a8, 1] 

[0,1] 

ft2 

N 

1 

N2 

73 

99 

97 

121 

216 

[^,1] 

[a8, 1] 

[112,1] 

Q 

ft2 

N 

1 

N 

73 

98 

99 

125 

°fully  optimized  results 
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Case  Bases  Norms  Coefficients  XOR  Gates 


# 

GF(  2s) 

CF(24) 

GF{  22) 

V 

N 

c 

D 

w  = 

inv. 

S-box 

S-box  1 

Both 

217 

[d4, 1] 

[a  ,  a\ 

[122,fi] 

p2 

n 

i 

N2 

N 

72 

100 

100 

123 

218 

[d\  1] 

[a  ,  a\ 

[f!,l] 

p2 

n 

i 

N2 

N 

72 

101 

99 

121 

219 

[d4, 1] 

[a  ,  a\ 

[fi2,l] 

p2 

n 

i 

N2 

N2 

72 

100 

98 

120 

220 

[d\  1] 

[a8,  a2] 

p 2 

n2 

N2 

0 

N2 

72 

98 

99 

123 

221 

[d4, 1] 

[a8,  a2] 

[f!,l] 

p2 

n2 

N2 

0 

N2 

72 

100 

101 

120 

222 

[d 4, 1] 

[a8,  a2] 

[fi2,l] 

p2 

n2 

N 2 

0 

N 

72 

98 

101 

122 

223 

[rf4,  i] 

[a,l] 

p2 

ti 

N 

1 

N 

73 

98 

99 

122 

224 

[d\  1] 

[a,l] 

[f!,l] 

p2 

n 

N 

1 

N 

73 

97 

98 

O 

t-H 

t — 1 

225 

[rf4,  i] 

[a,l] 

[fi2,l] 

p 2 

n 

N 

1 

N2 

73 

100 

101 

118 

226 

[d\  1] 

[a4, 1] 

p2 

n 

N 

N2 

N 

73 

99 

101 

122 

227 

[d\  1] 

[a4, 1] 

[f!,l] 

p2 

n 

N 

N2 

N 

74 

102 

103 

124 

228 

[d\  1] 

a4, 1] 

[fi2,l] 

p2 

n 

N 

N2 

N2 

74 

103 

101 

123 

229 

[d\  1] 

[«2,1] 

[H2,fi] 

p2 

n2 

N 2 

N 2 

N 2 

73 

99 

101 

126 

230 

[d4,  1] 

[«2,1] 

[n,i] 

p2 

n2 

N2 

N2 

N2 

73 

98 

101 

120 

231 

[d\  1] 

[«2,1] 

[fi2,l] 

p2 

n2 

N2 

N2 

N 

73 

98 

100 

124 

232 

[d4,  1] 

[a8, 1] 

p2 

n2 

N2 

0 

N2 

73 

100 

98 

120 

233 

[d\  1] 

[a8, 1] 

[f!,l] 

p2 

n2 

N2 

0 

N2 

73 

97 

98 

122 

234 

[d4,  1] 

[a8, 1] 

[fi2,l] 

p2 

n2 

N 2 

0 

N 

73 

102 

100 

124 

235 

[cf 4, 1] 

a4,  a] 

p 2 

n 

1 

N2 

N 

72 

100 

99 

118 

236 

[dM,  1] 

[a  ,  a\ 

[0,1] 

p2 

n 

1 

N2 

N 

72 

99 

97 

118 

237 

id«\  1] 

[a  ,  a] 

[fi2,l] 

p2 

n 

1 

N2 

N2 

72 

98 

98 

123 

238 

[dM,  1] 

[a8,  a2} 

p2 

n2 

N2 

0 

N2 

72 

99 

98 

122 

239 

[d«\  1] 

[a8,  a2] 

[0,1] 

p2 

n2 

N2 

0 

N2 

72 

96 

99 

117 

240 

[dm,  1] 

[a8,  a2] 

[^,1] 

p2 

n2 

N2 

0 

N 

72 

98 

99 

123 

241 

{d«\  1] 

[a,l] 

p2 

n 

N 

1 

N 

73 

96 

96 

116 

242 

1] 

a,i] 

[0,1] 

p2 

n 

N 

1 

N 

73 

98 

96 

116 

243 

PM,  i] 

[a,l] 

[H2,l] 

p 2 

n 

N 

1 

N2 

73 

97 

98 

119 

244 

[dm,  1] 

[a4, 1] 

p2 

n 

N 

N2 

N 

73 

101 

100 

120 

245 

[cf 4, 1] 

[a4, 1] 

[0,1] 

p2 

n 

N 

N2 

N 

74 

100 

102 

121 

246 

[rf«4, 1] 

[a4, 1] 

[fi2,l] 

p2 

n 

N 

N2 

N2 

74 

101 

102 

119 

247 

[cf 4, 1] 

[«2,1] 

[122,fi] 

p2 

n2 

N2 

N2 

N2 

73 

97 

99 

124 

248 

\d«\ 1] 

[«2,1] 

[0,1] 

p2 

n2 

N2 

N2 

N 2 

73 

97 

97 

116 

249 

[dm,  1] 

[a2,l] 

[fi2,l] 

p2 

n2 

N 2 

N2 

N 

73 

98 

100 

121 

250 

id«\  1] 

[a8, 1] 

p2 

n2 

N2 

0 

N2 

73 

98 

98 

120 

251 

1] 

[a8, 1] 

[0,1] 

p 2 

n2 

N2 

0 

N2 

73 

97 

97 

116 

252 

[cf 4, 1] 

[a8, 1] 

[fi2,l] 

p2 

n2 

N2 

0 

N 

73 

99 

99 

115° 

°fully  optimized  results 
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Case  Bases  Norms  Coefficients  XOR  Gates 


# 

GF(  28) 

CF(24) 

GF(  22) 

V 

N 

c 

D 

w  = 

inv. 

S-box 

S-box  1 

Both 

253 

[<F,  1] 

[a  , 

[122,fl] 

id4 

12 

0 

N 2 

N 

72 

101 

103 

125 

254 

[d\  1] 

[f!,l] 

id4 

12 

0 

N 2 

N 

72 

101 

102 

126 

255 

[d\  1] 

[a  ,  a\ 

[fi2,l] 

fd4 

12 

0 

N 2 

N2 

72 

100 

102 

126 

256 

[d\  1] 

[a8,  a2} 

[fi2,fl] 

fd4 

122 

1 

N 2 

N2 

72 

100 

100 

120 

257 

[d\  1] 

[a8,  a2} 

[f!,l] 

fd4 

122 

1 

N 2 

N2 

72 

100 

100 

119 

258 

d\  1] 

[a8,  a2] 

[fi2,l] 

fd 4 

122 

1 

N 2 

N 

72 

100 

99 

117 

259 

[d\  1] 

[a,l] 

fd4 

12 

N 2 

0 

N 

73 

100 

100 

122 

260 

[d\  1] 

[a,l] 

[«,1] 

fd4 

12 

N2 

0 

N 

73 

101 

101 

123 

261 

[d\  1] 

[a,l] 

[fi2,l] 

fd4 

12 

N2 

0 

N2 

73 

100 

104 

125 

262 

[d\  1] 

[a4, 1] 

fd4 

12 

N2 

N2 

N 

73 

100 

102 

126 

263 

[d\  1] 

[a4, 1] 

[f!,l] 

fd4 

12 

N2 

N2 

N 

73 

99 

101 

128 

264 

d\  1] 

a4, 1] 

[«=*,  1] 

fd4 

12 

N2 

N2 

N2 

73 

102 

103 

127 

265 

{d»,  1] 

[a2,l] 

fd4 

a2 

N 

1 

N 2 

73 

103 

101 

124 

266 

lds ,  1] 

[a2,l] 

[Si.l] 

fd4 

122 

N 

1 

N2 

73 

100 

98 

119 

267 

[d\  1] 

[a2,l] 

[H2,l] 

fd4 

122 

N 

1 

N 

73 

99 

101 

120 

268 

[d\  1] 

[a8, 1] 

[ft2,  12] 

fd4 

a2 

N 

N 2 

N2 

73 

101 

101 

120 

269 

Id”,  1] 

[a8, 1] 

[f!,l] 

fd4 

a2 

N 

N 2 

N2 

74 

101 

104 

128 

270 

[d«,  1] 

[a8, 1] 

[fi2,l] 

fd4 

a2 

N 

N 2 

N 

74 

103 

103 

128 

271 

[dV2S,  1] 

a4,  a] 

[fi2,12] 

fd4 

12 

0 

N 2 

N 

72 

99 

99 

122 

272 

[d12*,  1] 

[a  ,  a\ 

[M 

fd4 

12 

0 

N2 

N 

72 

101 

99 

124 

273 

[d12S,  1] 

4 

[a  ,  QfJ 

[fi2,l] 

fd4 

12 

0 

N2 

N 2 

72 

100 

100 

122 

274 

[d128,  1] 

[a8,  a2] 

[fi2,12] 

fd4 

122 

1 

N2 

N2 

72 

101 

99 

124 

275 

[d12«,  1] 

[a8,  a2] 

[0,1] 

fd4 

122 

1 

N2 

N2 

72 

99 

101 

120 

276 

[■ i128 ,  1] 

[a8,  a2] 

[fi2,l] 

fd4 

a2 

1 

N2 

N 

72 

99 

102 

126 

277 

[d12S,  1] 

[a,l] 

[ft2,  12] 

fd4 

12 

N2 

0 

N 

73 

101 

102 

125 

278 

[, d12S ,  1] 

a,i] 

[0,1] 

fd4 

12 

N2 

0 

N 

73 

101 

101 

122 

279 

[d12*,  1] 

[a,l] 

[fi2,l] 

fd4 

12 

N2 

0 

N2 

73 

102 

102 

125 

280 

[d12S,  1] 

[a4, 1] 

[122,12] 

fd 4 

12 

N 2 

N2 

N 

73 

101 

99 

125 

281 

[, i128 ,  1] 

[a4, 1] 

[0,1] 

fd4 

12 

N2 

N 2 

N 

73 

102 

100 

122 

282 

[, i128 ,  1] 

[a4, 1] 

[fi2,l] 

fd4 

12 

N2 

N 2 

N2 

73 

102 

102 

126 

283 

[< d12« ,  1] 

[a2,l] 

[122,12] 

fd4 

122 

N 

1 

N2 

73 

101 

100 

125 

284 

[■ i128 ,  1] 

a2,l] 

[0,1] 

fd 4 

122 

N 

1 

N2 

73 

99 

98 

121 

285 

[, i128 ,  1] 

[a2,l] 

[fi2,l] 

fd4 

a2 

N 

1 

N 

73 

102 

102 

126 

286 

[■ d 128 , 1] 

[a8, 1] 

[122,12] 

fd4 

122 

N 

N2 

N 2 

73 

100 

100 

123 

287 

[d128, 1] 

[a8, 1] 

[0,1] 

fd4 

122 

N 

N2 

N2 

74 

103 

101 

125 

288 

[d128, 1] 

[a8, 1] 

[^,1] 

fd4 

ft2 

N 

N2 

N 

74 

104 

103 

127 

°fully  optimized  results 
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Case  Bases  Norms  Coefficients  XOR  Gates 


# 

GF(  2s) 

CF(24) 

GF(  22) 

V 

N 

C 

D 

w  = 

inv. 

S-box 

S-box  1 

Both 

289 

[M] 

[a  , 

[122,fi] 

72 

n 

0 

N 

N 

72 

99 

100 

125 

290 

[Ml 

[CK  ,  O'] 

[!2,1] 

72 

n 

0 

N 

N 

72 

98 

98 

120 

291 

[LA] 

4 

[a  ,  a\ 

[^,1] 

72 

n 

0 

N 

N2 

72 

100 

101 

126 

292 

[Ml 

[a8,  a2] 

72 

A2 

N 

1 

N2 

72 

98 

98 

119 

293 

[LA] 

[a8,  a2] 

[!2,1] 

72 

A2 

N 

1 

N2 

72 

96 

96 

116 

294 

[Ml 

[a8,  a2] 

[fi2,l] 

72 

A2 

N 

1 

N 

72 

97 

99 

121 

295 

[LA] 

A  A] 

72 

n 

N 

0 

N 

73 

98 

97 

119 

296 

[Ml 

[a  A] 

[f!,l] 

72 

n 

N 

0 

N 

73 

97 

96 

118 

297 

[M] 

AA] 

[H2,l] 

72 

n 

N 

0 

N2 

73 

98 

100 

117 

298 

[M] 

[a4, 1] 

72 

n 

N 

N 

N 

73 

98 

98 

123 

299 

[M] 

[a4, 1] 

M 

72 

n 

N 

N 

N 

73 

99 

100 

120 

300 

[M] 

a4, 1] 

[ii2,i] 

72 

n 

N 

N 

N2 

73 

101 

102 

125 

301 

[M] 

[«2,1] 

[fi2,ii] 

72 

A2 

N 2 

N 

N 2 

73 

98 

99 

122 

302 

im 

A'2 1 1] 

[n,i] 

72 

A2 

N 2 

N 

N2 

73 

96 

99 

119 

303 

[M] 

[«M] 

[^,i] 

72 

A2 

N2 

N 

N 

73 

97 

100 

119 

304 

[M] 

[a8, 1] 

[fi2,n] 

72 

A2 

N2 

1 

N2 

73 

99 

95 

119 

305 

[£,  i] 

[a8, 1] 

[!2,1] 

72 

A2 

N2 

1 

N2 

74 

99 

98 

120 

306 

[M] 

[a8, 1] 

[^,1] 

72 

A2 

N2 

1 

N 

73 

99 

99 

122 

307 

[Liy,l] 

a4,  a] 

72 

n 

0 

N 

N 

72 

100 

101 

124 

308 

[L10,l] 

[a  ,  a\ 

[!2,1] 

72 

n 

0 

N 

N 

72 

102 

102 

126 

309 

[^M] 

[a  ,  a\ 

[H2,l] 

72 

n 

0 

N 

N 2 

72 

100 

100 

124 

310 

[^M] 

[a8,  a2] 

72 

A2 

N 

1 

N2 

72 

99 

98 

120 

311 

[£M] 

[a8,  a2] 

[«,1] 

72 

A2 

N 

1 

N2 

72 

98 

98 

125 

312 

[^M] 

[a8,  a2] 

[H2,l] 

72 

A2 

N 

1 

N 

72 

97 

99 

122 

313 

[^M] 

A  A] 

72 

12 

N 

0 

N 

73 

100 

98 

119 

314 

[^M] 

'a  A] 

[f!,l] 

72 

12 

N 

0 

N 

73 

101 

97 

120 

315 

[^M] 

AA] 

[fi2,l] 

72 

12 

N 

0 

N2 

73 

101 

100 

123 

316 

[L^,l] 

[a4, 1] 

72 

12 

N 

N 

N 

73 

100 

100 

119 

317 

[^M] 

[a4, 1] 

[!2,1] 

72 

12 

N 

N 

N 

73 

100 

100 

121 

318 

[^,1] 

[a4, 1] 

[^,1] 

72 

12 

N 

N 

N2 

73 

104 

100 

121 

319 

[LWA] 

A'2 1 1] 

72 

122 

N2 

N 

N2 

73 

99 

100 

120 

320 

[L™1] 

a2, 1] 

[!2,1] 

72 

122 

N2 

N 

N2 

73 

98 

100 

122 

321 

[LW,  1] 

A'2 1 1] 

[H2,l] 

72 

122 

N 2 

N 

N 

73 

100 

99 

121 

322 

[^M] 

[a8, 1] 

72 

122 

N 2 

1 

N 2 

73 

97 

97 

117 

323 

[LWA] 

[a8, 1] 

[11,1] 

72 

122 

N2 

1 

N2 

74 

99 

98 

118 

324 

[LW,  1] 

[a8, 1] 

[H2,l] 

72 

122 

N2 

1 

N 

73 

101 

100 

124 

°fully  optimized  results 
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Case  Bases  Norms  Coefficients  XOR  Gates 


# 

GF(  2s) 

GF(24) 

GF(  22) 

V 

N 

c 

D 

w  = 

inv. 

S-box 

S-box  1 

Both 

325 

[L2A] 

4 

[CK  , 

[122,fi] 

74 

H 

1 

N 

N 

72 

99 

99 

124 

326 

[L2,l] 

[CK  ,  O'] 

[0,1] 

74 

H 

1 

N 

N 

72 

98 

99 

122 

327 

[L2A] 

4 

[a  , 

[pi] 

74 

H 

1 

N 

N2 

72 

99 

99 

127 

328 

[L2, 1] 

[a8,  a2] 

pn] 

74 

n2 

0 

N 

N2 

72 

97 

99 

116 

329 

PM] 

[a8,  a2] 

[0,1] 

74 

n2 

0 

N 

N2 

72 

98 

100 

124 

330 

PM] 

[a8,  a2] 

[pi] 

74 

n2 

0 

N 

N 

72 

98 

99 

118 

331 

[L2, 1] 

[a,l] 

pn] 

74 

n 

N2 

1 

N 

73 

101 

102 

123 

332 

PM] 

[a,l] 

[0,1] 

74 

n 

N2 

1 

N 

73 

101 

101 

124 

333 

PM] 

[a,l] 

pi] 

74 

n 

N2 

1 

N2 

74 

101 

104 

124 

334 

PM] 

[a4, 1] 

pn] 

74 

n 

N2 

N 

N 

73 

99 

99 

120 

335 

[L2, 1] 

[a4, 1] 

[11,1] 

74 

n 

N2 

N 

N 

73 

98 

97 

121 

336 

PM] 

a4, 1] 

Pi] 

74 

n 

N2 

N 

N2 

73 

99 

100 

121 

337 

PM] 

[«M] 

[pft] 

74 

n2 

N 

0 

N2 

73 

100 

102 

126 

338 

PM] 

[«M] 

[0,1] 

74 

n2 

N 

0 

N2 

73 

99 

102 

125 

339 

[L2, 1] 

[«M] 

Pi] 

74 

n2 

N 

0 

N 

73 

100 

103 

124 

340 

PM] 

[a8, 1] 

[pft] 

74 

n2 

N 

N 

N2 

73 

99 

98 

118 

341 

PM] 

[a8, 1] 

[0,1] 

74 

n2 

N 

N 

N2 

73 

101 

102 

123 

342 

[L2, 1] 

[a8, 1] 

pi] 

74 

n2 

N 

N 

N 

73 

101 

102 

124 

343 

[L™,  1] 

a4,  a] 

[pft] 

74 

n 

1 

N 

N 

72 

100 

103 

126 

344 

[L*2, 1] 

[a  ,  a\ 

[0,1] 

74 

n 

1 

N 

N 

72 

101 

100 

125 

345 

[L*2, 1] 

[a  ,  a\ 

Pi] 

74 

n 

1 

N 

N2 

72 

102 

103 

127 

346 

[L*2, 1] 

[a8,  a2] 

[pft] 

74 

n2 

0 

N 

N2 

72 

101 

99 

123 

347 

[L*2, 1] 

[a8,  a2] 

[0,1] 

74 

n2 

0 

N 

N2 

72 

96 

96 

117 

348 

[L*2, 1] 

[a8,  a2] 

Pi] 

74 

n2 

0 

N 

N 

72 

99 

98 

120 

349 

[L*2, 1] 

[a,1] 

[pft] 

74 

n 

N2 

1 

N 

73 

102 

103 

130 

350 

[L*2, 1] 

a,l] 

[0,1] 

74 

n 

N2 

1 

N 

73 

102 

101 

125 

351 

PM] 

[a,l] 

[pi] 

74 

n 

N2 

1 

N2 

74 

103 

104 

129 

352 

PM] 

[a4, 1] 

[pfi] 

74 

n 

N2 

N 

N 

73 

102 

101 

126 

353 

P2, 1] 

[a4, 1] 

[0,1] 

74 

n 

N2 

N 

N 

73 

101 

102 

126 

354 

PM] 

[a4, 1] 

Pi] 

74 

n 

N2 

N 

N2 

73 

103 

102 

128 

355 

PM] 

[«M] 

[pft] 

74 

n2 

N 

0 

N2 

73 

102 

101 

124 

356 

PM] 

«M] 

[0,1] 

74 

n2 

N 

0 

N2 

73 

99 

99 

118 

357 

P  M] 

[«M] 

pi] 

74 

n2 

N 

0 

N 

73 

99 

102 

125 

358 

PM] 

[a8, 1] 

[pfi] 

74 

n2 

N 

N 

N2 

73 

102 

100 

124 

359 

PM] 

[a8, 1] 

[11,1] 

74 

n2 

N 

N 

N2 

73 

100 

100 

124 

360 

PM] 

[a8, 1] 

[H2,l] 

74 

n2 

N 

N 

N 

73 

100 

102 

122 

°fully  optimized  results 
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Case  Bases  Norms  Coefficients  XOR  Gates 


# 

GF(  2s) 

CF(24) 

GF(  22) 

V 

N 

c 

D 

w  = 

inv. 

S-box 

S-box  1 

Both 

361 

[L\  1] 

[a  ,  a\ 

78 

H 

N 

0 

N 

72 

95 

97 

119 

362 

[L\  1] 

[a  ,  a\ 

[f!,l] 

78 

H 

N 

0 

N 

72 

96 

97 

117 

363 

[L\  1] 

[a  ,  a\ 

[^,1] 

78 

H 

N 

0 

N2 

72 

97 

98 

117 

364 

[L\  1] 

[a8,  a2] 

78 

n2 

1 

N 

N2 

72 

97 

96 

118 

365 

[L\  1] 

[a8,  a2] 

[f!,l] 

78 

n2 

1 

N 

N2 

72 

96 

94 

115 

366 

[L\  1] 

[a8,  a2] 

[fi2,l] 

78 

n2 

1 

N 

N 

72 

95 

93 

116 

367 

[L\  1] 

[a,l] 

78 

n 

N 

N 

N 

73 

96 

97 

114° 

368 

[L\  1] 

[a,l] 

[f!,l] 

78 

n 

N 

N 

N 

73 

98 

96 

118 

369 

[L\  1] 

[a,l] 

[H2,l] 

78 

n 

N 

N 

N2 

73 

98 

99 

119 

370 

[L\  1] 

[a4, 1] 

78 

n 

N 

0 

N 

73 

97 

98 

119 

371 

[L\  1] 

[a4, 1] 

[11,1] 

78 

n 

N 

0 

N 

73 

96 

97 

118 

372 

[L\  1] 

a4, 1] 

[H2,l] 

78 

n 

N 

0 

N2 

73 

99 

99 

117 

373 

[L\  1] 

[«2,1] 

[H2,H] 

78 

n2 

N 2 

1 

N 2 

73 

101 

98 

122 

374 

[L\  1] 

[«2,1] 

[fi,l] 

78 

n2 

N2 

1 

N2 

74 

98 

99 

120 

375 

[L\  1] 

[«2,1] 

[H2,l] 

78 

n2 

N 2 

1 

N 

73 

98 

98 

119 

376 

[L\  1] 

[a8, 1] 

[H2,H] 

78 

n2 

N 2 

N 

N2 

73 

98 

95 

110° 

377 

[L\  1] 

[a8, 1] 

[f!,l] 

78 

n2 

N 2 

N 

N2 

73 

97 

95 

116 

378 

[L\  1] 

[a8, 1] 

[H2,l] 

78 

n2 

N2 

N 

N 

73 

99 

98 

120 

379 

[■ L e4, 1] 

a4,  a] 

[H2,H] 

78 

n 

N 

0 

N 

72 

99 

102 

127 

380 

[LM,  1] 

[a  ,  a\ 

[f!,l] 

78 

n 

N 

0 

N 

72 

102 

101 

128 

381 

[LM,  1] 

[a  ,  a\ 

[H2,l] 

78 

n 

N 

0 

N2 

72 

99 

101 

128 

382 

[LM,  1] 

[a8,  a2] 

[H2,H] 

78 

n2 

1 

N 

N2 

72 

99 

98 

119 

383 

[L«\  1] 

[a8,  a2] 

[f!,l] 

78 

n2 

1 

N 

N2 

72 

99 

100 

120 

384 

[LM,  1] 

[a8,  a2] 

[H2,l] 

78 

n2 

1 

N 

N 

72 

99 

98 

122 

385 

[LM,  1] 

[a,1] 

[H2,H] 

78 

n 

N 

N 

N 

73 

100 

100 

121 

386 

[LM,  1] 

a,l] 

[f!,l] 

78 

n 

N 

N 

N 

73 

102 

100 

124 

387 

[LM,  1] 

[a,l] 

[H2,l] 

78 

n 

N 

N 

N2 

73 

101 

103 

124 

388 

[LM,  1] 

[a4, 1] 

[H2,H] 

78 

n 

N 

0 

N 

73 

98 

101 

123 

389 

[LM,  1] 

[a4, 1] 

[0,1] 

78 

n 

N 

0 

N 

73 

100 

99 

124 

390 

[L«\  1] 

[a4, 1] 

[H2,l] 

78 

n 

N 

0 

N 2 

73 

102 

101 

121 

391 

[L«\  1] 

[«M] 

[H2,H] 

78 

n2 

N2 

1 

N2 

73 

99 

100 

123 

392 

[LM,  1] 

a2, 1] 

[0,1] 

78 

n2 

N2 

1 

N2 

74 

102 

100 

122 

393 

[LM,  1] 

[a2,l] 

[H2,l] 

78 

n2 

N 2 

1 

N 

73 

101 

99 

124 

394 

{L«\  1] 

[a8, 1] 

[122,H] 

78 

n2 

N2 

N 

N2 

73 

101 

99 

120 

395 

[LM,  1] 

[a8, 1] 

[11,1] 

78 

n2 

N 2 

N 

N2 

73 

99 

99 

121 

396 

[LM,  1] 

[a8, 1] 

[H2,l] 

78 

n2 

N2 

N 

N 

73 

102 

98 

121 

°fully  optimized  results 
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Case  Bases  Norms  Coefficients  XOR  Gates 


# 

GF(  2s) 

GF(24) 

GF{  22) 

i 

N 

C 

D 

w  = 

inv. 

S-box 

Hmsi 

Both 

397 

[L\  1] 

[a  ,  a\ 

[122,fi] 

ft 

N 

1 

N 

72 

102 

103 

125 

398 

1] 

[a  ,  a\ 

[0,1] 

m 

ft 

N 

1 

N 

72 

101 

101 

123 

399 

[L», 1] 

[a  ,  a\ 

[^2,1] 

a 

ft 

N 

1 

N2 

72 

103 

102 

123 

400 

[L«, 1] 

[a8,  a2] 

[122,fi] 

a 

ft2 

N 

0 

N2 

72 

99 

101 

120 

401 

[L», 1] 

[a8,  a2} 

[0,1] 

m 

ft2 

N 

0 

N2 

72 

99 

100 

119 

402 

1] 

[a8,  a2] 

[fi2,l] 

m 

ft2 

N 

0 

N 

72 

99 

98 

121 

403 

[L»,  1] 

[a,l] 

[ft2, 12] 

a 

ft 

N 2 

N 

N 

73 

101 

103 

123 

404 

[L»,  1] 

[a,l] 

[ft,  1] 

a 

ft 

N2 

N 

N 

73 

101 

103 

120 

405 

[L», 1] 

[a,l] 

[ft2,l] 

m 

ft 

N2 

N 

N2 

73 

102 

106 

123 

406 

[L»,  1] 

[a4, 1] 

[ft2,  ft] 

H 

ft 

N2 

1 

N 

73 

102 

104 

129 

407 

[L»,  1] 

[a4, 1] 

[ft,  1] 

m 

ft 

N2 

1 

N 

73 

101 

103 

125 

408 

[L», 1] 

a4, 1] 

[ft2,  1] 

m 

ft 

N2 

1 

N2 

74 

103 

104 

128 

409 

[^8, 1] 

[a2, 1] 

[ft2,  ft] 

a 

ft2 

N 

N 

N 2 

73 

102 

102 

125 

410 

1] 

[a2, 1] 

[0,1] 

a 

ft2 

N 

N 

N2 

73 

99 

103 

121 

411 

[L», 1] 

[a2, 1] 

[ft2,  1] 

a 

ft2 

N 

N 

N 

73 

101 

102 

125 

412 

[L», 1] 

[a8, 1] 

[ft2,  ft] 

H 

ft2 

N 

0 

N2 

73 

101 

100 

121 

413 

[L», 1] 

[a8, 1] 

[0,1] 

a 

ft2 

N 

0 

N 2 

73 

101 

101 

119 

414 

[L», 1] 

[a8, 1] 

[ft2,l] 

a 

ft2 

N 

0 

N 

73 

100 

101 

123 

415 

[L^,l] 

a4,  a] 

[ft2,  ft] 

m 

ft 

N 

1 

N 

72 

100 

101 

127 

416 

[L™,  1] 

[a  ,  a\ 

[0,1] 

a 

ft 

N 

1 

N 

72 

101 

100 

120 

417 

{Lr2»,  1] 

[a  ,  a\ 

[ft2,  1] 

m 

ft 

N 

1 

N2 

72 

102 

103 

128 

418 

[LV2ii,  1] 

[a8,  a2} 

[ft2,  ft] 

a 

ft2 

N 

0 

N2 

72 

98 

99 

118 

419 

[L12ii,  1] 

[a8,  a2} 

[0,1] 

a 

ft2 

N 

0 

N2 

72 

97 

101 

122 

420 

[L™ ,  1] 

[a8,  a2] 

[ft2,l] 

m 

ft2 

N 

0 

N 

72 

100 

100 

123 

421 

[L12ii,  1] 

[a,l] 

[ft2,  ft] 

a 

ft 

N2 

N 

N 

73 

101 

104 

122 

422 

[L12ii,  1] 

a,i] 

[0,1] 

m 

ft 

N2 

N 

N 

73 

101 

100 

122 

423 

[L12«,  1] 

[a,l] 

[ft2,  1] 

a 

ft 

N2 

N 

N2 

73 

102 

103 

127 

424 

[L12ii,  1] 

[a4, 1] 

[ft2,  ft] 

■ 

ft 

N2 

1 

N 

73 

103 

103 

126 

425 

[L12ii,  1] 

[a4, 1] 

[0,1] 

D 

ft 

N2 

1 

N 

73 

100 

101 

125 

426 

[L12ii,  1] 

[a4, 1] 

[ft2,l] 

B 

ft 

N2 

1 

N2 

74 

106 

105 

131 

427 

[L126, 1] 

[a2, 1] 

[ft2,  ft] 

B 

ft2 

N 

N 

N2 

73 

101 

102 

124 

428 

[L12ii,  1] 

a2, 1] 

[0,1] 

B 

ft2 

N 

N 

N2 

73 

99 

101 

122 

429 

[L128, 1] 

[a2, 1] 

[ft2,l] 

B 

ft2 

N 

N 

N 

73 

100 

104 

128 

430 

[L128, 1] 

[a8, 1] 

[ft2,  ft] 

H 

ft2 

N 

0 

N 2 

73 

98 

100 

118 

431 

[L128, 1] 

[a8, 1] 

[ft,  1] 

a 

ft2 

N 

0 

N2 

73 

97 

99 

120 

432 

[L128, 1] 

[a8, 1] 

[ft2,  1] 

B 

ft2 

N 

0 

N 

73 

101 

101 

121 

°fully  optimized  results 
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